Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 12:13:06PM -0600, dann frazier wrote:
> On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote:
> > On 2010-03-15, dann frazier <dannf@debian.org> wrote:
> > > On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote:
> > >> I've also been bitten by this bug - noticed it last Friday and it
> > >> doesn't seem to be fixed this morning.
> > >>
> > >> Is there an ETA on a fix with packages?
> > >
> > > Packages are now available in the security repo (an apt-get upgrade
> > > should suffice).
> > >
> > > I'm hoping to get a CVE ID before sending out a formal DSA.
> >
> > Why? That should be covered by the CVE ID for the original connector
> > security bug.
>
> Just to make sure we're talking about the same thing...
>
> One reason for this upload is to deal with the ABI breakage from the
> kernel upload which fixed CVE-2009-3725. I agree that no additional
> CVE is warranted to deal with that.
>
> However, as part of fixing this, we discovered that drbd contains a
> security issue as well. This issue is in the same class as the issues
> covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list
> of 4 subsystems it covers, and drbd is not one of them.
Ack. But since the underlying issue is identical I don't think a separate
CVE ID is warranted. The CVE description can still be updated later if
needed.
Cheers,
Moritz
Reply to: