group.of.nepali.translators team mailing list archive

[Jeremy Bicha <jeremy@xxxxxxxxx>]

When I looked earlier, I couldn't easily backport this to 16.04 LTS.

After a few months, I believe the tracker sandbox still causes
regressions since it blocks stuff that used to be allowed. The new
tracker (with sandbox) will be shipped in 17.04 and Debian stretch, but
I think this update is not worth doing for 17.04 given that 17.04 is
already halfway through it short life and given that we are unlikely to
be able to fix all regressions it introduces.

** Tags removed: verification-needed
** Tags added: verification-failed

** Changed in: tracker (Ubuntu Xenial)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648921

Title:
  Sandbox the tracker extractor

Status in Tracker:
  Fix Released
Status in tracker package in Ubuntu:
  Fix Released
Status in tracker source package in Xenial:
  Won't Fix
Status in tracker source package in Yakkety:
  Fix Committed

Bug description:
  * SECURITY UPDATE: extractor now runs in a sandbox confined by libseccomp
      - extractor's filesystem and network access is limited to being read and
        local only (LP: #1648921)
      - No CVE number

  The tracker developers have recently confined their extractor to
  attempt to make tracker more resilient to attacks, especially
  involving flaws in gstreamer parsers.

  There is no CVE number assigned to this issue.

  https://lwn.net/Articles/708196/
  https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html

  The gstreamer security fixes are being handled separately. See bug
  1619600

To manage notifications about this bug go to:
https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions