Re: CVE-2012-4542 and multiple other long-standing security problems
On Tue, Apr 30, 2013 at 07:49:01PM +0200, Arne Wichmann wrote:
> Hi. Just to remind you: there is quite a number of old security problems
> open. For most of these fixes are available:
>
> Problem Fix
> CVE-2012-4542 https://lkml.org/lkml/2013/1/24/279
No fix has been agreed upstream.
> CVE-2012-2372 https://patchwork.kernel.org/patch/1493571/
No fix has been agreed upstream. rds is not auto-loaded because
we already knew it was crap.
> CVE-2012-4508 Fixed in unstable, but not in stable
I don't remember this one, but it may be too difficult and risky to
backport.
> CVE-2012-5374 9c52057c698fb96f8f07e7a4bcf4801a092bda89
> CVE-2012-5375 "
Unlikely to be fixed. btrfs is a tech preview in both squeeze and
wheezy.
> CVE-2012-6539 43da5f2e0d0c69ded3d51907d9552310a6b545e8
Fixed in wheezy; pending for squeeze-security.
> CVE-2012-6549 fe685aabf7c8c9f138e5ea900954d295bf229175
Pending for wheezy and squeeze-security.
> CVE-2013-0343 no good fix, but http://seclists.org/oss-sec/2013/q1/92
> contains some tries and discussion. moreover I am not sure if the problem
> is real.
It does seem to be a persistent denial of service. Still waiting for
a fix to be agreed upstream, though.
> CVE-2013-1819 eb178619f930fa2ba2348de332a1ff1c66a31424
Looking unlikely to be fixed. Even an attempt to backport this to 3.7
resulted in a regression.
> Is there any chance that these are fixed before wheezy gets stable?
There will be no updates to testing/unstable before the release. The
pending squeeze-security update wants more testing so probably won't
be ready before then either.
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
Reply to: