Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities

To: Dominic Hargreaves <dom@earth.li>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
From: dann frazier <dannf@dannf.org>
Date: Thu, 11 Dec 2008 11:38:28 -0700
Message-id: <[🔎] 20081211183828.GA11905@colo.lackof.org>
In-reply-to: <[🔎] 20081211170652.GG1531@urchin.earth.li>
References: <20081204175911.GG14564@ldl.fc.hp.com> <[🔎] 20081211170652.GG1531@urchin.earth.li>

On Thu, Dec 11, 2008 at 05:06:52PM +0000, Dominic Hargreaves wrote:
> On Thu, Dec 04, 2008 at 10:59:11AM -0700, dann frazier wrote:
> 
> > Package        : linux-2.6.24
> > Vulnerability  : denial of service/privilege escalation
> > Problem type   : local/remote
> > Debian-specific: no
> > CVE Id(s)      : CVE-2008-3528 CVE-2008-4554 CVE-2008-4576 CVE-2008-4618
> >                  CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5029
> >                  CVE-2008-5134 CVE-2008-5182 CVE-2008-5300
> > 
> > Several vulnerabilities have been discovered in the Linux kernel that
> > may lead to a denial of service or privilege escalation. The Common
> > Vulnerabilities and Exposures project identifies the following
> > problems:
> 
> [snip details]
> 
> > For the stable distribution (etch), these problems have been fixed in
> > version 2.6.24-6~etchnhalf.7.
> 
> All these issues are also listed as affecting 2.6.18 on
> <http://security-tracker.debian.net/tracker/>. Are there plans to
> release fixed packages?

Some do, some don't :) The security tracker is the canonical resource
- though you're welcome to monitor the kernel and kernel-sec svn
repositories on alioth if you want more granular information.

> Are there plans to release fixed packages?

Yes - 2.6.18 is in stable, and as such will be security supported for
at least another year. Minor/local DoS security issues in the kernel
are very frequent, so updated packages are constantly in
preparation. Preparing kernel updates is resource intensive so, unless
there's a severe issue, etch users should expect 2.6.18 and 2.6.24
updates to be staggered.

-- 
dann frazier

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: Dominic Hargreaves <dom@earth.li>

References:
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: Dominic Hargreaves <dom@earth.li>

Prev by Date: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Next by Date: Re: [SECURITY] [DSA 1680-1] New clamav packages fix potential codeexecution
Previous by thread: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Next by thread: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Index(es):
- Date
- Thread