Re: Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
On Wed, Feb 16, 2011 at 07:59:16AM -0200, Henrique de Moraes Holschuh wrote:
> On Wed, 16 Feb 2011, Pascal Hambourg wrote:
> > Johan Grönqvist a écrit :
> > > 2011-02-15 22:46, Kelly Dean skrev:
> > >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> > >> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
> > >> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
> > >> fixed, or does it have the vulnerability?
>
> ...
>
> > > The updates to the 2.6.32 kernel thus seems to be incorporated into the
> > > version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable,
> > > but no higher versions of 2.6.32, and as 2.6.32.28 appears to be
> > > incorporated in squeeze, it seems that squeeze might not be vulnerable.
> >
> > I do not know if 2.6.32 was vulnerable either, but looking at upstream
> > kernel changelogs it seems that the fix was not backported to any
> > upstream -stable (now -longterm) release older than 2.6.35, including
> > 2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is.
>
> http://security-tracker.debian.org/tracker/CVE-2010-2943
>
> It is supposed to be vulnerable.
I've backported a fix for this, but it was too late to make the
initial release of squeeze. The fix is queued for the first update to
squeeze, see:
http://svn.debian.org/wsvn/kernel-sec/active/CVE-2010-2943
> Upstream is sitting on backports of this one for some reason, because it is
> not on any stable or longterm kernel as far as I can see.
I forwarded our backport to stable, and it has been tentatively
accepted for the 2.6.32-longterm tree.
> RedHat fixed this one:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2943
>
> Ubuntu also did:
> http://www.ubuntuupdates.org/packages/show/199704 (Version: 2.6.32-27.49)
yes, but note that backport introduced a regression:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/692848
Reply to: