Please confirm that CVE-2017-7975 is fixed with this update and CVE-2016-10317, CVE-2017-7885, CVE-2017-7976 are not. The referenced bugs suggest that at least CVE-2017-7885 and CVE-2017-7976 are fixed as well, but those are not mentioned above.
Well, the exact CVEs fixed are specified in the Details of the Bodhi update. IMHO that should be intuitive, but maybe I'm wrong.
And yes, only CVE-2017-7975 is fixed. The CVE-2016-10317, CVE-2017-7885, CVE-2017-7976 are not fixed. The fix for the latter will be released once upstream provide it. There's no reason to wait on the other fixes while the biggest threats can be already secured (we don't have any ETA from upstream).
P.S.: The referenced bugs will not be automatically closed once this update gets to stable.
Sure, thanks for clarifying...I find it rather intuitive as well, but some bots (existence provided) may not and they might end up thinking this update is a fix for one of the CVEs they regexpd while crawling around and I have to clean up the mess. Which is not what happend :) Thanks again!
Ah, OK, I'm sorry for the inconvenience... :-/ Is there any way I could prevent this in the future? I don't think not linking the CVEs' BZs is a way to go here (I will link them from multiple bodhi updates).
This update has been submitted for testing by dkaspar.
Please confirm that CVE-2017-7975 is fixed with this update and CVE-2016-10317, CVE-2017-7885, CVE-2017-7976 are not. The referenced bugs suggest that at least CVE-2017-7885 and CVE-2017-7976 are fixed as well, but those are not mentioned above.
Well, the exact CVEs fixed are specified in the Details of the Bodhi update. IMHO that should be intuitive, but maybe I'm wrong.
And yes, only CVE-2017-7975 is fixed. The CVE-2016-10317, CVE-2017-7885, CVE-2017-7976 are not fixed. The fix for the latter will be released once upstream provide it. There's no reason to wait on the other fixes while the biggest threats can be already secured (we don't have any ETA from upstream).
P.S.: The referenced bugs will not be automatically closed once this update gets to stable.
Sure, thanks for clarifying...I find it rather intuitive as well, but some bots (existence provided) may not and they might end up thinking this update is a fix for one of the CVEs they regexpd while crawling around and I have to clean up the mess. Which is not what happend :) Thanks again!
Ah, OK, I'm sorry for the inconvenience... :-/ Is there any way I could prevent this in the future? I don't think not linking the CVEs' BZs is a way to go here (I will link them from multiple bodhi updates).
This update has been pushed to testing.
Works great! LGTM! =)
no regressions noted
Works
This update has been submitted for stable by bodhi.
This update has been pushed to stable.