Re: linux-2.6_2.6.32-48squeeze4 and Bug #701744
On Mon, 2014-02-24 at 20:11 +0000, Ben Hutchings wrote:
> On Mon, 2014-02-24 at 15:48 +0000, Ian Campbell wrote:
> > On Sat, 2014-02-22 at 22:56 +0000, Ben Hutchings wrote:
> > > On Mon, 2013-09-30 at 20:25 +1000, Kris Shannon wrote:
> > > > I was eagerly awating the release of linux-2.6_2.6.32-48squeeze4
> > > > because it would fix #701744 (fallout from XSA-39: Linux netback DoS
> > > > via malicious guest ring)
> > > >
> > > >
> > > > It turns out I should have read the bug report more closely.
> > > >
> > > > #701744 was only about the xen-netback side of things.
> > > >
> > > >
> > > > I haven't been able to find a debian bug about the REAL bug - the
> > > > xen-netfront gso overflow.
> > > >
> > > >
> > > > Upstream have patched this:
> > > > http://git.kernel.org/linus/9ecd1a75d977e2e8c48139c7d3efed183f898d94
> > > >
> > > > "netfront: reduce gso_max_size to account for max TCP header"
> > > >
> > > >
> > > > Is this likely to go into a squeeze kernel?
> > >
> > > Maybe. Ian, is this going to be possible to backport?
> >
> > It looks fairly small and self contained, so I suspect so. Wei -- does
> > that sound right (the backport target is Debian Wheezy which is 2.6.32)
> >
> > The other question is whether there will be any more updates to the
> > Squeeze kernel at all, aren't we into security fixes only mode for
> > Squeeze by now?
>
> A regression due to a security fix is also a valid reason for a further
> security update.
I'm going to base this on the squeeze-security branch
(2.6.32-48squeeze6) rather than squeeze (2.6.32-49), although I expect
it'll be trivial to rebase.
Looks like squeeze4 is the latest actual upload BTW, at least according
to the PTS. squeeze5 has a bunch of stuff in it...
Reply to: