[Adding debian-lts public list] On Thu, 2014-09-11 at 12:23 +0200, Moritz Mühlenhoff wrote: > On Thu, Sep 11, 2014 at 07:37:13AM +0200, Salvatore Bonaccorso wrote: > > Hi Ben, > > > > On Thu, Sep 11, 2014 at 06:51:54AM +0200, Salvatore Bonaccorso wrote: > > > Hi Ben, > > > > > > On Thu, Sep 11, 2014 at 05:35:02AM +0100, Ben Hutchings wrote: > > > > RH and SUSE have updated their kernels for these vulnerabilities, but I > > > > haven't heard anything about this and don't know what the upstream fixes > > > > are. What's going on? Was any information sent to the linux-distros > > > > list? > > > > > > Cannot check the distro list right now. But it looks more information > > > is found on the corresponding bugtracker: > > > > > > https://bugzilla.novell.com/show_bug.cgi?id=CVE-2014-0205 > > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0205 > > > > So the first issue seems to be fixed since 2.6.37. Only squeeze(-lts) > > should be affected (please double check). Agreed. And the fix looks easily applicable to 2.6.32. > > > and > > > > > > https://bugzilla.novell.com/show_bug.cgi?id=CVE-2014-3535 > > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3535 > > > > Have not (yet) looked at this, probably after workday I can have a > > closer look. > > This one is fixed in 2.6.36, so only squeeze-lts is affected as well. It was specifically noted as being a security issue for vxlan, which was not present in 2.6.32 but has been backported to RHEL 6. So it shouldn't affect any other distribution. I've commented on the SUSE bug to this effect and will see if anyone disagrees. There could, of course, be other callers which can pass a null net_device pointer to one of these logging functions. Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa.
Attachment:
signature.asc
Description: This is a digitally signed message part