Red Hat Bugzilla – Bug 64630
dhcp 3.0 security vulnerability (CA-2002-12)
Last modified: 2008-05-01 11:38:02 EDT
The dhcp-3.0-6 packages currently in rawhide are apparently affected by
the "Format String Vulnerability" described here:
Please roll dhcp-3.0pl1 packages as soon as possible...
You're incorrectly expecting support for rawhide packages. (No releases have
dhcp 3.x included, so there's no need for an erratum.)
The package will get updated eventually, but it's not a priority...
First you declined to fix the known-broken dhcp-2.0 package (see #36620)
because the dhcp-3.0 package in rawhide fixes the problem, and now you're
saying you won't support dhcp-3.0 because it's in rawhide?
It seems that you're saying "We won't put effort into fixing dhcp-2.0 bugs
because there's a dhcp-3.0 package available", and at the same time, "We won't
put effort into fixing dhcp-3.0 bugs because there's a dhcp-2.0 package
An obvious catch-22.
IMO, one or the other needs to be fixed. Both available dhcp packages shouldn't
be left broken and unsupported like this.
Like I said, the dhcp in rawhide will get fixed eventually, but rawhide isn't
something that is supported in any fashion, just a holding pen for development
work. The 36620 issue _is_ solved in rawhide (meaning that the 36620 fix will be
in a future release when people can be expected to actually use it), but that
package-with-security-hole the best I can do given my priorities and the low
priority of rawhide.
Okay, fair enough. I guess I'll hack up my own package for 3.0pl1 in the
3.0pl1 packages are being worked on now, should be a week hopefully.
pl1 in rawhide
Time tracking values updated