On 06/06/14 12:03, Moritz Muehlenhoff wrote: > On Fri, Jun 06, 2014 at 04:34:37AM +0200, Carlos Alberto Lopez Perez wrote: >> On 06/06/14 03:09, Carlos Alberto Lopez Perez wrote: >>> On 06/06/14 02:06, Carlos Alberto Lopez Perez wrote: >>>> Hi, >>>> >>>> >>>> I can see on the svn that the updated package for linux-2.6 is ready [1] >>>> (or at least seems so) >>>> >>>> However, I can't find it on buildd [2] neither on incoming.debian.org >>>> >>>> Any hint? >>>> >>>> Thanks! >>>> >>>> >>>> [1] http://anonscm.debian.org/viewvc/kernel?view=revision&revision=21392 >>>> [2] >>>> https://buildd.debian.org/status/architecture.php?a=amd64&suite=squeeze-lts >>>> >>> >>> Seems that it could be something wrong with one of this patches. >>> >>> http://article.gmane.org/gmane.comp.security.oss.general/12962 >>> >>> I suggest to wait until the issue is clarified. >>> >> Indeed. >> >> The third patch needs a fixed version: > > I've commited an updated patch to SVN, but I'm unable to work on the release > anytime soon. > > What remains to be done is > - Build the linux-2.6 package with the fixes from SVN > - Test (should also be posted here, so that others can test as well) > - Release and announce Can we release this? CVE-2014-3153 seems pretty easy to exploit and the impact is very high. I'm not a DD, so I can't release it myself. The fix seems to works as expected. It passed the futex test suite, (The patches affect the futex subsystem mainly. Posted on another mail in this thread) and the machine has been running since then with this new kernel without problems.
Attachment:
signature.asc
Description: OpenPGP digital signature