[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)

On Wed, 16 Feb 2011, Pascal Hambourg wrote:
> Johan Grönqvist a écrit :
> > 2011-02-15 22:46, Kelly Dean skrev:
> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> >> published Sept 30, 2010, and says that Linux is vulnerable.
> >> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
> >> fixed, or does it have the vulnerability?


> > The updates to the 2.6.32 kernel thus seems to be incorporated into the 
> > version in squeeze. The page you refer to lists as vulnerable, 
> > but no higher versions of 2.6.32, and as appears to be 
> > incorporated in squeeze, it seems that squeeze might not be vulnerable.
> I do not know if 2.6.32 was vulnerable either, but looking at upstream
> kernel changelogs it seems that the fix was not backported to any
> upstream -stable (now -longterm) release older than 2.6.35, including
> 2.6.32. So if upstream 2.6.32 was vulnerable, still is.


It is supposed to be vulnerable.

Upstream is sitting on backports of this one for some reason, because it is
not on any stable or longterm kernel as far as I can see.

RedHat fixed this one:

Ubuntu also did:
http://www.ubuntuupdates.org/packages/show/199704  (Version: 2.6.32-27.49)

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: