On Oct 2, 2015 4:50 AM, "intrigeri" <intrig...@boum.org> wrote: > > Hi, > > Austin English wrote (07 Sep 2015 20:30:59 GMT) : > > On Mon, Sep 7, 2015 at 3:25 PM, Austin English <austinengl...@gmail.com> wrote: > >> Rebasing it was trivial (the conflict was on adding the test to the > >> Makefile). It looks like upstream has a bug (they don't actually run > >> the tests), but that's fixed in this patch. > > > Small correction, their build system changed, upstream does not have a > > bug in that regard. > > Thanks again for requesting a CVE ID about it. The CVE folks have > analyzed this in depth and concluded it is a Tails vulnerability, not > a wget one. So we got our first CVE ID, it seems: > > http://www.openwall.com/lists/oss-security/2015/10/01/10 > > ⇒ this won't get fixed via Debian security update, and we need to > handle it on our side. > > Austin, given this, can you please give advice wrt. what's the easiest > safe way to fix that problem in Tails? Can we do that on Tails/Wheezy > with configuration only, or do we need to patch wget? Is it any > different in Tails/Jessie, or with wget 1.16.3 that we could perhaps > backport? > > (Sorry, I've no time/energy at the moment to re-read the entire thread > and the one it links to.) > > Also, any idea if other FTP clients we ship (at least Tor Browser and > Nautilus) are affected by this problem? > > I'd like to see tickets on our Redmine track the known problem, and > the research about more potential ones. If you don't feel like > creating these tickets, let me know and I'll do it. > > Cheers, > -- > intrigeri
I'm on holiday for the next two weeks, so please create the tickets. Afaict, it requires patching wget. The fix backports cleanly, the tests don't (I've manually backported that).
_______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.