Bug#536147: linux-2.6: [regression] CVE-2009-0029 fixed in testing, but not unstable
Justification: user security hole
Hello Debian kernel team!
According to the security tracker , CVE-2009-0029 is fixed in
testing, but not in unstable.
It's fixed in testing because it was fixed in a stable (lenny) point
release, and stable packages updated in a point release are
automatically migrated to testing, whenever the version in testing
happens to be older than the updated stable one.
Having a fixed package in testing is great, but of course it also means
that the vulnerability should be fixed in unstable before the package
migrates from unstable to testing, or otherwise a regression will
As part of a triage effort , I personally tried to understand whether
CVE-2009-0029 is already fixed in linux-2.6/2.6.30-1, but I failed .
 see the following subthread for further details:
 see especially this message:
Please note that I didn't actually test linux-2.6/2.6.30-1 against
the vulnerability: I just searched for the link to the supposed fix in
the mitre CVE page and with the intension to take a look at the relevant
files in linux-2.6_2.6.30.orig.tar.gz, in order to see whether they
included the modifications...
I am filing this bug report, in order to make sure CVE-2009-0029 is
fixed in unstable, before linux-2.6 migrates to testing.
Please check whether CVE-2009-0029 is fixed in linux-2.6/2.6.30-1:
if the fix is already included, then this bug report may be safely
On the other hand, if linux-2.6/2.6.30-1 is vulnerable, then please
apply the fix that was used  to prepare linux-2.6/2.6.26-13lenny2
and upload a new Debian revision (linux-2.6/2.6.30-2) that fixes
 see http://security-tracker.debian.net/tracker/DSA-1749-1
Thanks for all the great job you're doing on the kernel packages!