[pkg-db-devel] Bug#872436: db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd

Salvatore Bonaccorso carnil at debian.org
Thu Aug 17 12:58:11 UTC 2017


Hi

A further comment: We (security team) thinks it would be wise to first
have the patch exposed for a while in unstable, and look for possible
regression if there are applications basically relying on that
behaviour (hopefully not).

Then we could look furhter if release a DSA for it or rather going
safer via a point release and having it exposed as well a while via
the propsed-updates queues.

I can prepare a NMU for sid if needed, will follow up with debdiff
shortly and upload to a delayed queue (10 days). if you then are fine
to either override it or having it rescheduled that would be as well
great.

Regards,
Salvatore



More information about the pkg-db-devel mailing list