Bug 1532284 (CVE-2017-18018)
Summary: | CVE-2017-18018 coreutils: race condition vulnerability in chown and chgrp | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | admiller, jamartis, jarodwilson, kdudka, kzak, lpardo, ooprala, ovasik, p, twaugh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:36:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1532285 | ||
Bug Blocks: |
Description
Laura Pardo
2018-01-08 15:10:03 UTC
Created coreutils tracking bugs for this issue: Affects: fedora-all [bug 1532285] Do I understand it correctly that CVE-2017-18018 was fixed as documentation bug only? What are you expecting to happen? The documentation fix being applied on Fedora release via security update? Are you assuming that Fedora users read the info documentation thoroughly enough to actually notice the documentation update? (In reply to Kamil Dudka from comment #2) > Do I understand it correctly that CVE-2017-18018 was fixed as documentation > bug only? What are you expecting to happen? The documentation fix being > applied on Fedora release via security update? > > Are you assuming that Fedora users read the info documentation thoroughly > enough to actually notice the documentation update? Hey Kamil, you definitely don't need to do an async release for this kind of issue, that's your call. This was mainly filed so that we are tracking it's existence and the fact that it got a CVE identifier. I think it's fine to wait for the next upstream release which should contain the updated documentation. Feel free to wontfix the tracker if you want. |