[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: linux-2.6 (2.6.32-48squeeze7) CVE-2014-3153

On 06/06/14 12:03, Moritz Muehlenhoff wrote:
> On Fri, Jun 06, 2014 at 04:34:37AM +0200, Carlos Alberto Lopez Perez wrote:
>> On 06/06/14 03:09, Carlos Alberto Lopez Perez wrote:
>>> On 06/06/14 02:06, Carlos Alberto Lopez Perez wrote:
>>>> Hi,
>>>> I can see on the svn that the updated package for linux-2.6 is ready [1]
>>>> (or at least seems so)
>>>> However, I can't find it on buildd [2] neither on incoming.debian.org
>>>> Any hint?
>>>> Thanks!
>>>> [1] http://anonscm.debian.org/viewvc/kernel?view=revision&revision=21392
>>>> [2]
>>>> https://buildd.debian.org/status/architecture.php?a=amd64&suite=squeeze-lts
>>> Seems that it could be something wrong with one of this patches.
>>> http://article.gmane.org/gmane.comp.security.oss.general/12962
>>> I suggest to wait until the issue is clarified.
>> Indeed.
>> The third patch needs a fixed version:
> I've commited an updated patch to SVN, but I'm unable to work on the release
> anytime soon.
> What remains to be done is
> - Build the linux-2.6 package with the fixes from SVN
> - Test (should also be posted here, so that others can test as well)
> - Release and announce

Can we release this? CVE-2014-3153 seems pretty easy to exploit and the
impact is very high.

I'm not a DD, so I can't release it myself.

The fix seems to works as expected. It passed the futex test suite, (The
patches affect the futex subsystem mainly. Posted on another mail in
this thread) and the machine has been running since then with this new
kernel without problems.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: