[OpenIndiana-discuss] p7zip

Jim Klimov jimklimov at cos.ru
Fri Dec 9 06:07:25 UTC 2016


8 декабря 2016 г. 23:19:02 CET, Alexander Pyhalov <alp at rsu.ru> пишет:
>Tim Mooney писал 08.12.2016 22:05:
>> In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said
>
>> (at...:
>> 
>>> Jim Klimov писал 04.12.2016 20:11:
>>>> 4 декабря 2016 г. 16:16:57 CET, cpforum <cpforum at orange.fr> пишет:
>>>>> Hi,
>>>>> 
>>>>> It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release
>>>>> (15.14.1-2016.0.0.3)
>>> 
>>> Hi. Yes, we missed this fix. I've just committed it.
>>> Unfortunately, pkg info is quite useless in determining, which 
>>> security fixes are applied to the package.
>> 
>> Yeah, we talked about that issue last year around this time.  This
>> post from Peter is from the middle of the long thread, but it
>captures
>> one of the most interesting ideas:
>> 
>>
>	https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html
>
>Hi.
>Yes, the idea is really interesting.
>But there are many small issues to be solved.
>
>For example, I bump package version. A month later I found out that
>this 
>updated version fixed some vulnerability. Should I update security 
>metadata package?
>What about CVE, which we miss? I mean, one should constantly monitor 
>security lists for new issues. What about old CVEs?
>So, absence of CVE metadata in this new security package will likely 
>mean 'unknown', not 'vulnerable'.
>Another, more technical issue is that we sometimes can wrongly predict 
>published package version. So, should we fix such wrongly added 
>metadata?
>If we fix it, will two facts appear in the security metadata package?
>So, before implementing something similar we should analyze all pros
>and 
>cons for a while.
>
>Another question is if we should collect this metadata in one dedicated
>
>package or in package which fixed the issue? I think separate package
>is 
>better as this allows us to mark CVEs to be fixed-in-past.
>
>Should it be IPS metadata at all? Perhaps, it could be just RSS 
>extracted from some git tags?
>
>
>---
>System Administrator of Southern Federal University Computer Center
>
>
>_______________________________________________
>openindiana-discuss mailing list
>openindiana-discuss at openindiana.org
>https://openindiana.org/mailman/listinfo/openindiana-discuss

On another hand, is there a particular benefit of patching older versions in userland as cve fixes come out, rather than taking the newest release (assumed to include all bugfixes known to authors)?

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android



More information about the openindiana-discuss mailing list