Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
On Thu, Dec 11, 2008 at 05:06:52PM +0000, Dominic Hargreaves wrote:
> On Thu, Dec 04, 2008 at 10:59:11AM -0700, dann frazier wrote:
>
> > Package : linux-2.6.24
> > Vulnerability : denial of service/privilege escalation
> > Problem type : local/remote
> > Debian-specific: no
> > CVE Id(s) : CVE-2008-3528 CVE-2008-4554 CVE-2008-4576 CVE-2008-4618
> > CVE-2008-4933 CVE-2008-4934 CVE-2008-5025 CVE-2008-5029
> > CVE-2008-5134 CVE-2008-5182 CVE-2008-5300
> >
> > Several vulnerabilities have been discovered in the Linux kernel that
> > may lead to a denial of service or privilege escalation. The Common
> > Vulnerabilities and Exposures project identifies the following
> > problems:
>
> [snip details]
>
> > For the stable distribution (etch), these problems have been fixed in
> > version 2.6.24-6~etchnhalf.7.
>
> All these issues are also listed as affecting 2.6.18 on
> <http://security-tracker.debian.net/tracker/>. Are there plans to
> release fixed packages?
Some do, some don't :) The security tracker is the canonical resource
- though you're welcome to monitor the kernel and kernel-sec svn
repositories on alioth if you want more granular information.
> Are there plans to release fixed packages?
Yes - 2.6.18 is in stable, and as such will be security supported for
at least another year. Minor/local DoS security issues in the kernel
are very frequent, so updated packages are constantly in
preparation. Preparing kernel updates is resource intensive so, unless
there's a severe issue, etch users should expect 2.6.18 and 2.6.24
updates to be staggered.
--
dann frazier
Reply to: