On Wed, Feb 16, 2011 at 07:59:16AM -0200, Henrique de Moraes Holschuh wrote: > On Wed, 16 Feb 2011, Pascal Hambourg wrote: > > Johan Grönqvist a écrit : > > > 2011-02-15 22:46, Kelly Dean skrev: > > >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was > > >> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. > > >> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel > > >> fixed, or does it have the vulnerability? > > ... > > > > The updates to the 2.6.32 kernel thus seems to be incorporated into the > > > version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable, > > > but no higher versions of 2.6.32, and as 2.6.32.28 appears to be > > > incorporated in squeeze, it seems that squeeze might not be vulnerable. > > > > I do not know if 2.6.32 was vulnerable either, but looking at upstream > > kernel changelogs it seems that the fix was not backported to any > > upstream -stable (now -longterm) release older than 2.6.35, including > > 2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is. > > http://security-tracker.debian.org/tracker/CVE-2010-2943 > > It is supposed to be vulnerable.
I've backported a fix for this, but it was too late to make the initial release of squeeze. The fix is queued for the first update to squeeze, see: http://svn.debian.org/wsvn/kernel-sec/active/CVE-2010-2943 > Upstream is sitting on backports of this one for some reason, because it is > not on any stable or longterm kernel as far as I can see. I forwarded our backport to stable, and it has been tentatively accepted for the 2.6.32-longterm tree. > RedHat fixed this one: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2943 > > Ubuntu also did: > http://www.ubuntuupdates.org/packages/show/199704 (Version: 2.6.32-27.49) yes, but note that backport introduced a regression: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/692848 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110217231542.ga27...@dannf.org
