Re: Debian Kernel security status?
On Wed, Apr 19, 2006 at 04:50:27PM +0200, Jan Luehr wrote:
> Hello,
>
> looking at the recent vanilla changes, there seem to be a rather rapid
> development at the moment ;-) and I've to confess, that I lost the overview,
> what sec-holes do affect debian and which don't.
>
> I was frightend recently, then I noticed that 2.4.27 was fixing somecve-2004
> stuff other a month ago as well as 2.6.
>
> Just take a look at CVE-2004-1017. It was fixed in red hat in january 2005 and
> fixed in debian in march 2006.
It took us a while to figure out the whos/hows of doing kernel
security support for sarge, not to mention the huge backlog of issues
we had to process. However, we've done two pretty substantial
kernel security updates in the past few months, and I feel like we've
got it figured out now. Every CVE that we knew about either got fixed
or intentionally ignored for sarge2, and we're now working on sarge3.
> Therefore I suspect, that the debian kernel do have some security flaws, fixed
> in mainline kernel months ago. Am I wrong here?
Yes - at least, for flaws with CVE IDs assigned - there could clearly
be other security fixes that were fixed upsream that weren't brought
to mitre's attention.
> And is there any public status / shape information on the debian kernels?
For issue-by-issue status, see svn://svn.debian.org/svn/kernel/patch-tracking
--
dann frazier
Reply to: