Stability v. security fixes
Posted May 10, 2007 7:42 UTC (Thu) by email@example.com
Parent article: Stability v. security fixes
The cpio issue isn't running cpio on untrusted data, the overflow is in the filename handling, so you'd need to run cpio on a rather suspicious looking filename (where the filename contains the trigger for this issue, shellcode etc)
You can find out what issues we've deferred at any point in time by doing a bugzilla query against the product of interest where Keyword = "Security". We now also publish statements directly into the National Vulnerability Database (nvd.nist.gov) for these issues.
Where a package has been selected for the Update for some other reason (in
the cpio case to fix a couple of bugs), we'll also take that opportunity to
include fixes for any security issues we previously deferred. Whenever we include a fix for a security issue, even a low severity one, in
an Update release, we will promote it to a security update and include the CVE; even if it does mean we'll end up as being counted as fixing more vulnerabilities or having longer days of risk metrics for these low severity issues.
to post comments)