Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server

To: Christoph Egger <christoph@debian.org>
Cc: 706414@bugs.debian.org, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>, team@security.debian.org, 706418@bugs.debian.org
Subject: Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Wed, 01 May 2013 11:43:31 +0100
Message-id: <[🔎] 5180F1D3.3050402@pyro.eu.org>
In-reply-to: <[🔎] 8761z357o7.fsf@hepworth.siccegge.de>
References: <517EEA4B.2090302@pyro.eu.org> <517EF9CC.90408@pyro.eu.org> <[🔎] 8761z357o7.fsf@hepworth.siccegge.de>

On 01/05/13 11:14, Christoph Egger wrote:
> [...] As it is too late for wheezy r0 it seems we'll
> need to go through either security or stable-updates for wheezy

Yes, we need to fix it in sid anyway.  I think this (in kfreebsd-9)
merits a DSA and the fix made available via security.d.o as soon as
possible after release, for users who install wheezy r0.  Then it would
automatically enter the proposed-updates queue for r1.

For kfreebsd-8, the vulnerable code is present but not normally enabled,
so we may want to address it in wheezy with a stable update only.

For squeeze, I think the 8.1 kernel also has the vulnerable code, but
NFS wasn't even supported in that release.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Reply to:

References:
- Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server
  - From: Christoph Egger <christoph@debian.org>

Prev by Date: Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server
Next by Date: Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server
Previous by thread: Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server
Next by thread: Re: Bug#706414: CVE-2013-3266: Insufficient input validation in the NFS server
Index(es):
- Date
- Thread