[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities

On Wed, 2 May 2007 21:37:39 +0200
Dann Frazier <dannf@debian.org> wrote:

> Hash: SHA1
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1286-1                    security@debian.org
> http://www.debian.org/security/                               Dann Frazier
> May 2nd, 2007                           http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> Package        : linux-2.6
> Vulnerability  : several
> Problem-Type   : local/remote
> Debian-specific: no
> CVE ID         : CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 CVE-2007-1592
> Several local and remote vulnerabilities have been discovered in the Linux
> kernel that may lead to a denial of service or the execution of arbitrary
> code. The Common Vulnerabilities and Exposures project identifies the
> following problems:


> This problem has been fixed in the stable distribution in version 
> 2.6.18.dfsg.1-12etch1.

Just trying to improve my understanding of Debian security advisories.

1) DSA 1286-1 isn't (yet) on the Debian Security page [0]. I assume
this means that the advisories are mailed first and subsequently added
to the website?

2) The advisory doesn't mention unstable, but three of the four CVEs
affect kernels up to 2.6.21, which would include 2.6.20 in unstable.
Will there be an advisory mentioning unstable?

The Security FAQ [1] says:

Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly
moving targets and the security team does not have the resources needed
to properly support those. If you want to have a secure (and stable)
server you are strongly encouraged to stay with stable. However, work
is in progress to change this, with the formation of a testing security
team which has begun work to offer security support for testing, and to
some extent, for unstable.

But most DSAa mention which unstable package provides a fix. What
happens for something like 2.6.20, which doesn't exist in stable?

[0] http://www.debian.org/security/
[1] http://www.debian.org/security/faq#testing

mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to: