Re: stable vs. testing: same versions, different status

To: debian-security-tracker@lists.debian.org
Subject: Re: stable vs. testing: same versions, different status
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Sat, 4 Jul 2009 20:16:04 -0400
Message-id: <[🔎] 20090704201604.bb366efd.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 20090704173308.ea286d6e.frx@firenze.linux.it>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090610202239.9c146aba.frx@firenze.linux.it> <20090610164038.5ad21105.michael.s.gilbert@gmail.com> <20090614232545.267cdf41.frx@firenze.linux.it> <8e2a98be0906191036x32b8bf28vdce8b4a2c1070ea8@mail.gmail.com> <20090619201718.f1873870.frx@firenze.linux.it> <20090619143152.50c5f20e.michael.s.gilbert@gmail.com> <20090620003528.d8498909.frx@firenze.linux.it> <20090621214425.3fb6b211.michael.s.gilbert@gmail.com> <20090628184817.7af4c7db.frx@firenze.linux.it> <8e2a98be0906291057g277700fdi67f4a46218b97baa@mail.gmail.com> <20090629201459.db92c4cd.frx@firenze.linux.it> <20090629143910.9ff76f9d.michael.s.gilbert@gmail.com> <20090630011244.1350bb13.frx@firenze.linux.it> <[🔎] 20090702124045.f8247b84.michael.s.gilbert@gmail.com> <[🔎] 20090704173308.ea286d6e.frx@firenze.linux.it>

On Sat, 4 Jul 2009 17:33:08 +0200 Francesco Poli wrote:
> I was going to file an RC bug against linux-2.6 for the following 7
> vulnerabilities that are fixed in testing, but not in unstable,
> according to the security tracker:
> 
> http://security-tracker.debian.net/tracker/CVE-2009-1758
> http://security-tracker.debian.net/tracker/CVE-2009-1633
> http://security-tracker.debian.net/tracker/CVE-2009-1630
> http://security-tracker.debian.net/tracker/CVE-2009-1338
> http://security-tracker.debian.net/tracker/CVE-2009-1242
> http://security-tracker.debian.net/tracker/CVE-2009-0835
> http://security-tracker.debian.net/tracker/CVE-2009-0834
> 
> However, while reviewing the CVE descriptions on http://cve.mitre.org/,
> I noticed that all of them seem to only affect Linux kernel upstream
> versions < 2.6.30.
> 
> Could someone check that linux-2.6/2.6.30-1 (currently in unstable) is
> really fixed w.r.t. to the above-mentioned CVEs and possibly update the
> security tracker to reflect reality?

this kind of triage would really help out the kernel-sec team, but i
don't think i'll be able to find the time to do it myself soon.  it
would be great if you could help out with this.  it should be fairly
straightforward:

1. download the debian kernel source package from unstable
2. find the relevant patch (this is the diff link on the git.kernel.org
page linked from the mitre CVE page)
3. compare patch to debian kernel source and make sure that it is
present
4. file RC bugs for unfixed issues and send a message with your findings

mike

Reply to:

Follow-Ups:
- Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]
  - From: Francesco Poli <frx@firenze.linux.it>

References:
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: stable vs. testing: same versions, different status
Next by Date: Re: DSA-1825-1 vs. tracker
Previous by thread: Re: stable vs. testing: same versions, different status
Next by thread: Linux kernel vulnerabilities in unstable [was: Re: stable vs. testing: same versions, different status]
Index(es):
- Date
- Thread