Comment 7 for bug 1814596
Revision history for this message
| Zbigniew Jędrzejewski-Szmek (zbyszek-in) wrote | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hi,
Jann, thank you for the bug report.
After discussing this upstream, we decided to make treat the issue (both CVEs) more as hardening, i.e. push additions to documentation and other changes directly upstream, without assigning an embargo. As it was already said, the issue has characteristics that make it low-impact: it requires control both of the service and a helper outside, and DynamicUsers are not widely used yet [1]. In addition, the numbers are assigned randomly, so an exploit would either need a service that is restarted a lot or wait a long time... And on the other hand, there doesn't seem to be single fix.
We'll start with a PR for NNP=yes, but we want to discuss this upstream in case there's some unforeseen impact. Please keep the issue private for now, we can open it after fixes are pushed upstream.
[1] codesearch.