|
|
|
|
|
|
by creatrixcordis
3169 days ago
|
|
|
Debian repos and inherently Ubuntu's repos also have wpa_supplicant 2.4, we will see if they update to 2.6 or release a patch. Probably patch before 2.6. It would be nice if there was a rule which package repos and distros would adhere to. The rule would adapt, such as all the packages that have had a security issues, will always be required to be updated to the latest versions in the next release or sooner. As vulnerabilities are discovered, the list of packages would grow and hopefully would prevent some future attacks. Obviously it's not full proof but every little bit counts. |
|
|
Apply the minimum necessary change to solve the problem.
This means cherry-picking the mainline patches where possible, or back-porting them where modification is required for them to apply (and work as intended) on older releases.
Especially with older versions it often isn't possible to update to a later upstream release because that depends on later versions of other packages. The dependencies can rapidly multiply to affect tens or even hundreds of packages.
Ubuntu patches were prepared and released within 4 hours of the security team being aware of the vulnerability. Same goes for Debian.