phoronix
While fixes for the CVEs are indeed being pushed, I don't think a release v241 is coming out anytime soon, in particular not one that will only fix those CVEs...
I think you're reading too much into PR #11387 which says "Prepare release v241" and adds a section titled "CHANGES WITH 241 in spe" to the NEWS file...
This tends to happen every beginning of the cycle and not really close to a new release. For instance, the corresponding change for v240 happened in commit fcb975129693 back in July 2018.
Meanwhile, you'll see that the fixes are being pushed to the systemd-stable repository, which has branches for most of the recent releases. For example, I just pushed a backport of the fix to CVE-2018-16866 to v239 in stable last week. These branches are more relevant to Linux distributions, since they're most likely tracking specific versions of systemd and wouldn't really upgrade to v241 once one was released... Even ArchLinux tracks the last released version of it, so using v240 stable they'll get all the fixes they need. Fedora/RHEL/Debian/Ubuntu all track the branches in the -stable repository AFAIR.
So, yes, fixes are coming. But I don't think a v241 is going to be released anytime soon. Particularly not just to address these fixes.
Cheers and thanks for the coverage of these systemd vulnerabilities!
While fixes for the CVEs are indeed being pushed, I don't think a release v241 is coming out anytime soon, in particular not one that will only fix those CVEs...
I think you're reading too much into PR #11387 which says "Prepare release v241" and adds a section titled "CHANGES WITH 241 in spe" to the NEWS file...
This tends to happen every beginning of the cycle and not really close to a new release. For instance, the corresponding change for v240 happened in commit fcb975129693 back in July 2018.
Meanwhile, you'll see that the fixes are being pushed to the systemd-stable repository, which has branches for most of the recent releases. For example, I just pushed a backport of the fix to CVE-2018-16866 to v239 in stable last week. These branches are more relevant to Linux distributions, since they're most likely tracking specific versions of systemd and wouldn't really upgrade to v241 once one was released... Even ArchLinux tracks the last released version of it, so using v240 stable they'll get all the fixes they need. Fedora/RHEL/Debian/Ubuntu all track the branches in the -stable repository AFAIR.
So, yes, fixes are coming. But I don't think a v241 is going to be released anytime soon. Particularly not just to address these fixes.
Cheers and thanks for the coverage of these systemd vulnerabilities!
Comment