[Buildroot] [PATCH 1/1] package/systemd: add upstream fix for CVE-2018-16864

James Hilliard james.hilliard1 at gmail.com
Fri Jan 11 12:04:14 UTC 2019


On Fri, Jan 11, 2019 at 4:53 AM Peter Korsgaard <peter at korsgaard.com> wrote:
>
> >>>>> "James" == James Hilliard <james.hilliard1 at gmail.com> writes:
>
> Hi,
>
>  > On Fri, Jan 11, 2019 at 4:46 AM Peter Korsgaard <peter at korsgaard.com> wrote:
>  >>
>  >> >>>>> "James" == James Hilliard <james.hilliard1 at gmail.com> writes:
>  >>
>  >> Hi,
>  >>
>  >> >> >> What about CVE-2018-16865, E.G. commit 052c57f132f04a / ef4d6abe7c7fa?
>  >> >> >> Do those not apply to 240?
>  >> >> > So here https://www.qualys.com/2019/01/09/system-down/system-down.txt it says:
>  >> >> > "CVE-2018-16865 was introduced in December 2011 (systemd v38) and became
>  >> >> > exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced
>  >> >> > in June 2015 (systemd v221) and was inadvertently fixed in August 2018."
>  >> >> > So my assumption was that we didn't need patches for CVE-2018-16865
>  >> >> > since systemd 240 was released in Dec 2018.
>  >> >>
>  >> >> We don't need a fix for 16866, but we do need for 16865, right?
>  >> > That is not entirely clear to me as there seems to be contradictory info.
>  >>
>  >> Sorry, what is unclear about "CVE-2018-16865 was introduced in December
>  >> 2011 (systemd v38) and became exploitable in April 2013 (systemd v201)"?
>  > The part that is unclear is that it supposedly "was inadvertently
>  > fixed in August 2018".
>
> But that refers to 18666 and NOT 18665?
Hmm, not sure why I was mixing those up, you're right.
>
> --
> Bye, Peter Korsgaard



More information about the buildroot mailing list