Lars M������������������������ wrote:
On Fri, Mar 08, 2013 at 06:20:02PM -0800, Linda Walsh wrote:
Sorry, ...
Probably should be fixed before 12.3 ships...
Fortunately, the fix is easy -- just remove the offending patch:
bash-3.2-longjmp.dif
a) Please consider to add the patch to bnc#806628
b) In general if you believe a defect has security implicationsissue please select 'Component: Security' to enable access limitation in bugzilla.
Cheers,
Lars
Setting component:security doesn't enable access limitations. On the bug you set component:security on, I was able to access it without logging in. On the new bug I created I had set the 'open-only-to-suse-security' flag, and it that flag only allowed access to the bug after I had logged in (presumably because I was the reporter). As for 'a', above, are you asking me to copy the source of the patch that is from the suse rpm, that is in the file 'bash-3.2-longjmp.dif' into the bug report? It is already part of the suse bash rpm. By patching the rpm, suse has introduced a security hole that is specific to suse's version. I'm sorry, I guess I was trying to be a bit too circumspect in reporting the details and was too close to them, myself, to not be aware that others would know what I was talking about. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org