control: severity -1 wishlist control: tag -1 + moreinfo control: tag -1 + security
On 2016-03-01 20:13, ban...@openmailbox.org wrote: > Package: glibc > Version: 2.21-9 > Severity: high > > Hi. After the recent glibc debacle I came across a patch to harden this > important library against common attack vectors. Please think about There might be good idea behind this patch, but the recent GLIBC DNS security issue is not really a good argument for that as it wouldn't have change anything. > reviewing and adding in Debian. The author warned there may be some package > breakage but nothing too serious: > > http://seclists.org/oss-sec/2015/q1/604 If there breakages are to expected, you can't say they are "not too serious". Breaking working applications, especially on productions systems, is something serious. Breaking other packages Debian packages is something serious. At the very *minimum* such a patch should come with an audit of all Debian packages in the archive to determine which one might break so that they can be fixed first. Also as said on the above mailing list, the best issue is to discuss this patch upstream on the libc-alpha mailing list, so that we can come with a common solution that will be available for all distributions. To the best of my knowledge this has still not been done. The oss-security and this bug report are not the place for such a discussion, unless of course such a patch has been rejected upstream. Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net