> Actually, no Debian release contains a kernel version affected by > CVE-2009-3889.
CVE-2009-3889 was fixed in upstream commit 66dca9b8 in linux 2.6.27, so debian's 2.6.24 and 2.6.26 are affected, but 2.6.18 and 2.6.32 are not. You can look at the dbg_lvl permissions, for example in the 2.6.32 kernel, to see that they are correctly restrictive, S_IWUSR. > CVE-2009-3889 should be dealt with at the same time. That covers the > dbg_lvl parameter which is also world-writable. For 2.6.32, CVE-2009-3939 will need to be patched separately since CVE-2009-3889 is already fixed there. As a minor aside, please include nnnnnn-submitter in your replies so your bug reporters get CC'd. I just happened to be looking at my submitted bugs recently when I came across your messages. Thanks, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
