Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities
From: Celejar <celejar@gmail.com>
Date: Wed, 2 May 2007 16:33:15 -0400
Message-id: <20070502163315.940c9531.celejar@gmail.com>
In-reply-to: <20070502193739.GA3353@galadriel.inutil.org>
References: <20070502193739.GA3353@galadriel.inutil.org>

On Wed, 2 May 2007 21:37:39 +0200
Dann Frazier <dannf@debian.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1286-1                    security@debian.org
> http://www.debian.org/security/                               Dann Frazier
> May 2nd, 2007                           http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : linux-2.6
> Vulnerability  : several
> Problem-Type   : local/remote
> Debian-specific: no
> CVE ID         : CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 CVE-2007-1592
> 
> Several local and remote vulnerabilities have been discovered in the Linux
> kernel that may lead to a denial of service or the execution of arbitrary
> code. The Common Vulnerabilities and Exposures project identifies the
> following problems:

[snip]

> This problem has been fixed in the stable distribution in version 
> 2.6.18.dfsg.1-12etch1.

Just trying to improve my understanding of Debian security advisories.

1) DSA 1286-1 isn't (yet) on the Debian Security page [0]. I assume
this means that the advisories are mailed first and subsequently added
to the website?

2) The advisory doesn't mention unstable, but three of the four CVEs
affect kernels up to 2.6.21, which would include 2.6.20 in unstable.
Will there be an advisory mentioning unstable?

The Security FAQ [1] says:

Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly
moving targets and the security team does not have the resources needed
to properly support those. If you want to have a secure (and stable)
server you are strongly encouraged to stay with stable. However, work
is in progress to change this, with the formation of a testing security
team which has begun work to offer security support for testing, and to
some extent, for unstable.

But most DSAa mention which unstable package provides a fix. What
happens for something like 2.6.20, which doesn't exist in stable?

[0] http://www.debian.org/security/
[1] http://www.debian.org/security/faq#testing

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities
  - From: Stefan Fritsch <sf@sfritsch.de>
- Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities
  - From: dann frazier <dannf@dannf.org>

Prev by Date: Re: Default-Release 4.0*: security updates ignored
Next by Date: Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities
Previous by thread: Re: Default-Release 4.0*: security updates ignored
Next by thread: Re: [SECURITY] [DSA 1286-1] New Linux 2.6.18 packages fix several vulnerabilities
Index(es):
- Date
- Thread