From nable.maininbox@googlemail.com Sun Feb 1 13:41:01 2015 Received: (at 778) by bugs.x2go.org; 1 Feb 2015 12:41:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-vc0-f176.google.com (mail-vc0-f176.google.com [209.85.220.176]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 294785E030 for <778@bugs.x2go.org>; Sun, 1 Feb 2015 13:41:01 +0100 (CET) Received: by mail-vc0-f176.google.com with SMTP id kv7so13327016vcb.7 for <778@bugs.x2go.org>; Sun, 01 Feb 2015 04:41:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=2DGnWWmVI8IYoomrdeMx2Y2M8EEL0tRUE40PCwEwmRk=; b=0jFCNoFM6fPMz2TlJq9kQNX7jZZCkbN6ZOGjKQpRBP/RePS+GM3HHgAg+KCJur8Une +JG6ybtetNoqHGBd4CWRY7D2/iz2sjRXkPT8syOLq4wxgyHPCrHV/vy3WkxEnuPEM89U bD0HEJzsmLLQMzf33TIbtOjLbTtJhDlraxG8hEEW7w+v36pjQnNKjp2xCJuQeW1BuK8I A0s7pAmNSOzH8GrpNQyPUBlKhHm/C5dzgEDLyymeRbQ44MxYN+XcffdozH6A7lwa4oKA s/dM95PVcoKoXUviMQbH46THu7XslvVhPAgon8hPOWrxoUqM0jT8ChRr0K8LP19I3EqJ RSIw== MIME-Version: 1.0 X-Received: by 10.52.63.136 with SMTP id g8mr7231549vds.71.1422794459818; Sun, 01 Feb 2015 04:40:59 -0800 (PST) Received: by 10.52.149.40 with HTTP; Sun, 1 Feb 2015 04:40:59 -0800 (PST) In-Reply-To: <1422774281.1428.5.camel@Nokia-N900> References: <1422774281.1428.5.camel@Nokia-N900> Date: Sun, 1 Feb 2015 16:40:59 +0400 Message-ID: Subject: Re: [X2Go-Dev] Bug#778: affected by CVE 2015-0235: Stop using gethosbyname() From: Nable To: Mike Gabriel , 778@bugs.x2go.org Content-Type: text/plain; charset=ISO-8859-1 Hi, Mike! I'm looking at this and previous bug (#777) and can't stop wondering whether applications should really contain workarounds for bugs in system libraries. Isn't it better to just depend on newer version of library (that has fixes for currently known bugs)? There are a lot of older bugs in glibc (that are fixed in current version), does it mean that applications should be bloated with workarounds for such bugs just in order to work more safely on machines where users don't pay enough attention to updates?