Alexander Reichle-Schmehl un jour écrivit: >>
I can see that CVE-2008-3272 and CVE-2008-3275 had already been fixedin DSA-1630-1, but can you confirm that the other CVE doesn't affect 2.6.18?Well... According to http://security-tracker.debian.net/tracker/source-package/linux-2.6 it isn't.
The security tracker could be wrong. While useful, I don't trust It blindly.
More specifically, can someone confirm that CVE-2008-3915 doesn't affect the 2.6.18 kernel series in Debian? If I believe this link, this bug is not limited to 2.6.24 in Etch-and-a-half.http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3915http://security-tracker.debian.net/tracker/CVE-2008-3915 list only 2.6.24 as affected. Looking your link, the first version they list is 2.6.19.4. So, yes, it pretty much looks to me, as if etch's 2.6.18 is not affected by this issue.
Look better: 2.6.18 is listed, but as one of the last entries. I don't know why It is not listed in the same order, but It is true that It was easy to miss It.
Also, even if you would have been right, It would still be possible that Debian added a patch backporting the security problem (or hiding/fixing the bug by pure luck). Checking for that bug is not very difficult, but checking for this bug and all the other one can be very time consumming and boring, which can explain some delay.
Simon Valiquette