[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1809-1] New Linux 2.6.26 packages fix several vulnerabilities

Hallo list,

dann frazier wrote:
> ----------------------------------------------------------------------
> Debian Security Advisory DSA-1809-1                security@debian.org
> http://www.debian.org/security/                           dann frazier
> Jun 01, 2009                        http://www.debian.org/security/faq
> ----------------------------------------------------------------------
> Package        : linux-2.6
> Vulnerability  : denial of service, privilege escalation
> Problem type   : local/remote
> Debian-specific: no
> CVE Id(s)      : CVE-2009-1630 CVE-2009-1633 CVE-2009-1758


> CVE-2009-1633
>     Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
>     the CIFS filesystem which allow remote servers to cause memory
>     corruption.

Apparently this is a different issue from #506586, I can still verify
that bug on my system. In particular a simple 'du -hs' on the mounted
cifs share leads to an immediate freeze of the system.

I have two questions:

Is a hard freeze, incurring data loss of all open/unsaved files
considered a security issue?

Since #506586 and #509428 are reported to be fixed in
inux-image-2.6.29-1-686 2.6.29-2
inux-image-2.6.29-1-686 2.6.29-3
is there any chance that the fixes are backported for lenny or should
users of stable upgrade to the kernel from testing/unstable/backports?

FWIW, my tests support the claim that this is fixed for
backport's linux-image-2.6.29-bpo.2-amd64 .

Thanks for any clarification ;-)


Reply to: