On 10/09/2014 07:00 AM, Johnny Hughes wrote: > On 10/09/2014 06:48 AM, Kai Schaetzl wrote: >> I noticed this as well but did some homework ;-) >> https://bugzilla.redhat.com/show_bug.cgi?id=1147189 >> https://access.redhat.com/security/cve/CVE-2014-6277 >> >> If I understand it correctly they think it's not exploitable anymore. >> Still think it should get patched immediately as there is an upstream >> patch available and it avoids any more questions and confusion about this >> problem. > > Well, the upstream patch, at least as it is written now, would require > them to back out their patches to apply. > > But regardless if whether or not they fix the segfault issue, that is > NOT a security issue or exploitable. > > It might possibly be a Denial of Service mechanism, I guess. > > The place to address this is on the bugzilla entry though. We will > publish the changes Red Hat rolls into the source and the upstream > bugzilla is how to make that happen. > > > https://bugzilla.redhat.com/show_bug.cgi?id=1147189 Although, this is already in there: "We can reproduce this parser bug. But we treat this as a regular bug, not a security bug, because of the fixes mentioned in comment #1." So, I would imagine that statement means that they are going to fix the segfault issue as a RHBA, not an RHSA. This likely means it will happen, but the QA and regression testing will be longer and more thorough as it is not a time critical security issue. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20141009/e62dce3a/attachment-0004.sig>