Re: emacs on SL6 - was Re: Security ERRATA Important: emacs on SL7.x x86_64

2017-09-20 Thread Akemi Yagi 
On Tue, Sep 19, 2017 at 11:47 PM, Bill Maidment  wrote:

> Hi Andrew
> So much for security issue support for 10 years. Probably best to assume
> only 7 years in real life.
> This is why I'm switching all our users over to SL7 MATE, now that SL6 is
> in its final phase.
> Cheers
> Bill
>

​Here's the description about "Production 3 phase":

​
https://access.redhat.com/support/policy/updates/errata/#Production_3_Phase

​"​During the Production 3 Phase, Critical impact Security Advisories
(RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be
released as they become available. Other errata advisories may be delivered
as appropriate."

So, yes, not all security updates are available once RHEL (therefore
Scientific Linux) goes into that phase.

Akemi

RE: emacs on SL6 - was Re: Security ERRATA Important: emacs on SL7.x x86_64

2017-09-20 Thread Bill Maidment 
Hi Andrew
So much for security issue support for 10 years. Probably best to assume only 7 
years in real life.
This is why I'm switching all our users over to SL7 MATE, now that SL6 is in 
its final phase.
Cheers
Bill
 
 
-Original message-
> From:Andrew C Aitchison <and...@aitchison.me.uk>
> Sent: Wednesday 20th September 2017 16:32
> To: scientific-linux-us...@listserv.fnal.gov
> Subject: emacs on SL6 - was Re: Security ERRATA Important: emacs on SL7.x 
> x86_64
> 
> On Tue, 19 Sep 2017, Pat Riehecky wrote:
> 
> > Synopsis:  Important: emacs security update
> > Advisory ID:   SLSA-2017:2771-1
> > Issue Date:2017-09-19
> > CVE Numbers:   CVE-2017-14482
> > --
> >
> > Security Fix(es):
> >
> > * A command injection flaw within the Emacs "enriched mode" handling has
> > been discovered. By tricking an unsuspecting user into opening a specially
> > crafted file using Emacs, a remote attacker could exploit this flaw to
> > execute arbitrary commands with the privileges of the Emacs user.
> > (CVE-2017-14482)
> 
> I see from https://access.redhat.com/security/cve/CVE-2017-14482
> that RedHat have marked this "wont fix" on RHEL6 and "investigating"
> on RHEL5, which seems odd - I'd have expected the other way around
> (unless a RHEL5 customer is paying for it).
> 
> Yes, there is a workaround, but I imagine that emacs is commonly used
> on RHEL6 and SL6 servers and it only takes one careless mistake...
> 
> How do other SL6 users feel about this "wont fix" ?
> 
> I'm trying to write my own patch, but seem to be struggling to patch
> a file near a ctrl-L character ...
> 
> -- 
> Andrew C. Aitchison   Cambridge, UK
>   and...@aitchison.me.uk
> 
>