Package: linux-2.6 Version: 2.6.30-1 Severity: grave Tags: security Justification: user security hole
Hello again Debian kernel team! According to the security tracker [1], CVE-2009-1758 is fixed in testing, but not in unstable. It's fixed in testing because it was fixed in a stable (lenny) point release, and stable packages updated in a point release are automatically migrated to testing, whenever the version in testing happens to be older than the updated stable one. [1] http://security-tracker.debian.net/tracker/CVE-2009-1758 Having a fixed package in testing is great, but of course it also means that the vulnerability should be fixed in unstable before the package migrates from unstable to testing, or otherwise a regression will happen! As part of a triage effort [2], I personally tried to understand whether CVE-2009-1758 is already fixed in linux-2.6/2.6.30-1, but I failed [3]. [2] see the following subthread for further details: http://lists.debian.org/debian-security-tracker/2009/07/msg00007.html [3] see especially this message: http://lists.debian.org/debian-security-tracker/2009/07/msg00024.html Please note that I didn't actually test linux-2.6/2.6.30-1 against the vulnerability: I just searched for the link to the supposed fix in the mitre CVE page and with the intention to take a look at the relevant files in linux-2.6_2.6.30.orig.tar.gz, in order to see whether they included the modifications... I am filing this bug report, in order to make sure CVE-2009-1758 is fixed in unstable, before linux-2.6 migrates to testing. Please check whether CVE-2009-1758 is fixed in linux-2.6/2.6.30-1: if the fix is already included, then this bug report may be safely closed. On the other hand, if linux-2.6/2.6.30-1 is vulnerable, then please apply the fix that was used [4] to prepare linux-2.6/2.6.26-15lenny3 and upload a new Debian revision (linux-2.6/2.6.30-2) that fixes the vulnerability. [4] see http://security-tracker.debian.net/tracker/DSA-1809-1 Once again, thanks for all the great job you're doing on the kernel packages! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
