Comment 12 for bug 1470842
Revision history for this message
| Tyler Hicks (tyhicks) wrote Re: [Bug 1470842] Re: lxc tools lock handling vulnerable to symlink attack | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On 2015-07-06 19:12:31, Stéphane Graber wrote:
> Serge provided a patch by e-mail.
I replied to his patch with a potential attack vector that was still
available. I point this out because we may not have a final patch at
this point.
> Upstream we've got LXC 1.1.3 right around the corner so we can land the
> patch in git master and then push it to the 1.1 maintenance branch and
> tag 1.1.3 very soon after. This release will then make it directly to
> wily and vivid.
>
> For trusty, we'll have to wait for LXC 1.0.8 upstream and that'll take a
> while longer as I've got a backlog of about 200 patches to go through
> for the stable branch.
The security team will apply the fix, as a distro patch, to all affected
stable releases and push out updates. You can then handle the Trusty SRU
however you'd like as long as you don't drop the fix in the version that
you take through the SRU process.
> So I guess the best for now is to pick a time where we:
> - Push Serge's fix as a distro patch to all supported releases
> - Push the fix to LXC git master
> - Post to lxc-devel and lxc-users about the security issue
> - Tag LXC 1.1.3 including the fix
> - Continue working on LXC 1.0.8 which will include the fix too
Lets wait just a little bit longer on deciding that time until we're
sure that we have a final patch available.