On Tue, 2010-01-05 at 22:47 -0500, Michael Gilbert wrote:
> > Actually, no Debian release contains a kernel version affected by
> > CVE-2009-3889.
>
> CVE-2009-3889 was fixed in upstream commit 66dca9b8 in linux 2.6.27, so
> debian's 2.6.24 and 2.6.26 are affected, but 2.6.18 and 2.6.32 are not.
> You can look at the dbg_lvl permissions, for example in the 2.6.32
> kernel, to see that they are correctly restrictive, S_IWUSR.
Yes, I can see that. I was checking which versions had the dbg_lvl
parameter and I must have got confused.
> > CVE-2009-3889 should be dealt with at the same time. That covers the
> > dbg_lvl parameter which is also world-writable.
>
> For 2.6.32, CVE-2009-3939 will need to be patched separately since
> CVE-2009-3889 is already fixed there.
>
> As a minor aside, please include nnnnnn-submitter in your replies so
> your bug reporters get CC'd. I just happened to be looking at my
> submitted bugs recently when I came across your messages.
Sorry; I usually do that.
Ben.
--
Ben Hutchings
Horngren's Observation:
Among economists, the real world is often a special case.
Attachment:
signature.asc
Description: This is a digitally signed message part