severity 921156 important thanks On Tue, Feb 19, 2019 at 11:24:47PM -0600, Stephen Gelman wrote: > On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout > <arnaud.rebill...@collabora.com> wrote: > > I looked into this a bit yesterday. > > > > As mentioned in the issue upstream at > > https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in > > the master branch of etcd in March 2018, almost a year ago. The > > conversation also mentions that this will be part of the next release > > v3.4. However v3.4 has not been released yet. > > > > And I don't think we want to package a random commit from the master > > branch of etcd. So if we want to solve this bug simply by updating the > > package, we'll have to wait for v3.4 to be released. > > > > The other alternative is to cherry-pick the patch. > > > > If I'm not mistaken, the fix can be found in this MR: > > https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial > > patch. It's unlikely that we can apply it without modification on the > > etcd currently packaged in debian. > > > > I personally can't do that, as I know nothing about etcd anyway. I don't > > know if someone feels up to the task, or have a better idea about how to > > solve that. > > > > Cheers, > > > > Arnaud > > Since upstream still hasn't released a version that fixes the CVE is > this still considered a RC bug? Obviously it's better to fix it asap > but if upstream doesn't consider it critical I'm not sure this should > be RC.
Let's downgrade and revisit when a fix has been backported to a 3.2.x release. Cheers, Moritz