Re: [SECURITY] [DSA 1809-1] New Linux 2.6.26 packages fix several vulnerabilities
Hallo list,
dann frazier wrote:
> ----------------------------------------------------------------------
> Debian Security Advisory DSA-1809-1 security@debian.org
> http://www.debian.org/security/ dann frazier
> Jun 01, 2009 http://www.debian.org/security/faq
> ----------------------------------------------------------------------
>
> Package : linux-2.6
> Vulnerability : denial of service, privilege escalation
> Problem type : local/remote
> Debian-specific: no
> CVE Id(s) : CVE-2009-1630 CVE-2009-1633 CVE-2009-1758
[snip]
> CVE-2009-1633
>
> Jeff Layton and Suresh Jayaraman fixed several buffer overflows in
> the CIFS filesystem which allow remote servers to cause memory
> corruption.
Apparently this is a different issue from #506586, I can still verify
that bug on my system. In particular a simple 'du -hs' on the mounted
cifs share leads to an immediate freeze of the system.
I have two questions:
Is a hard freeze, incurring data loss of all open/unsaved files
considered a security issue?
Since #506586 and #509428 are reported to be fixed in
inux-image-2.6.29-1-686 2.6.29-2
inux-image-2.6.29-1-686 2.6.29-3
is there any chance that the fixes are backported for lenny or should
users of stable upgrade to the kernel from testing/unstable/backports?
FWIW, my tests support the claim that this is fixed for
backport's linux-image-2.6.29-bpo.2-amd64 .
Thanks for any clarification ;-)
Johannes
Reply to: