Bug#562975: linux-2.6: patch for CVE-2009-3939
> Actually, no Debian release contains a kernel version affected by
> CVE-2009-3889.
CVE-2009-3889 was fixed in upstream commit 66dca9b8 in linux 2.6.27, so
debian's 2.6.24 and 2.6.26 are affected, but 2.6.18 and 2.6.32 are not.
You can look at the dbg_lvl permissions, for example in the 2.6.32
kernel, to see that they are correctly restrictive, S_IWUSR.
> CVE-2009-3889 should be dealt with at the same time. That covers the
> dbg_lvl parameter which is also world-writable.
For 2.6.32, CVE-2009-3939 will need to be patched separately since
CVE-2009-3889 is already fixed there.
As a minor aside, please include nnnnnn-submitter in your replies so
your bug reporters get CC'd. I just happened to be looking at my
submitted bugs recently when I came across your messages.
Thanks,
Mike
Reply to: