Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem

To: Jan Lühr <jan@jluehr.de>
Cc: debian-security@lists.debian.org
Subject: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Oct 2016 09:57:33 +0200
Message-id: <[🔎] 20161005075733.GA8391@lorien.valinor.li>
Mail-followup-to: Jan Lühr <jan@jluehr.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] cee6aeb9-ed94-fb04-f59d-f098aece47ff@jluehr.de>
References: <[🔎] e8d1f1cc-523f-660d-449a-e8a43f66091f@jluehr.de> <[🔎] fdec9413-db10-3657-2fb0-456f59641487@felixknecht.de> <[🔎] 6f109906-14e3-41db-cba4-349af11e4c92@hpe.com> <[🔎] af662606-88fe-8ec9-3d57-b11de4b9acec@jluehr.de> <[🔎] 20161005045202.GA3607@lorien.valinor.li> <[🔎] cee6aeb9-ed94-fb04-f59d-f098aece47ff@jluehr.de>

Hi Jan,

On Wed, Oct 05, 2016 at 09:49:28AM +0200, Jan Lühr wrote:
> Hello,
> 
> 
> Am 10/05/2016 um 06:52 AM schrieb Salvatore Bonaccorso:
> > On Tue, Oct 04, 2016 at 11:54:12PM +0200, Jan Lühr wrote:
> >> Hello,
> >> Am 10/04/2016 um 07:57 PM schrieb Nicholas Luedtke:
> >>> On 10/04/2016 11:40 AM, Felix Knecht wrote:
> >>>
> >>>> On 10/04/2016 06:38 PM, Jan Lühr wrote:
> >>>>> CVE-2016-7117 was patched in Android today.I don't see much information
> >>>>> right now. The title is rather frightening - the issue appears to be urgent.
> >>>> The following upstream kernel commit is referenced in the security bulletin:
> >>>>
> >>>> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d
> >>>>
> >>>> No idea if this is fixed in Debian though.
> >>>>
> >>>> Felix
> >>>>
> >>> Looks like it was picked up when Debian rolled to 3.16.36-1.
> > I updated the security-tracker information for CVE-2016-7117:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2016-7117 . The fix is
> > as well included in 3.16.36-1.
> 
> Thanks for the info!
> Updating dsa-3659 may help confused people like me ;-).

I'm a bit against it doing any further change to the text for
DSA-3659. The DSA was for the CVEs included in the 3.16.36-1+deb8u1,
3.16.36-1 was back then already accepted for the next point release
and the fix is in the 3.16.36-1 part of the upload, not in the
3.16.36-1+deb8u1 upload for DSA-3659.

I hope though the direct link to the CVE, as
https://security-tracker.debian.org/tracker/CVE-2016-7117 is helpfull
enough.

Thanks though for the comment!

Regards,
Salvatore

Reply to:

References:
- CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Jan Lühr <jan@jluehr.de>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Felix Knecht <debian@felixknecht.de>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Nicholas Luedtke <nicholas.luedtke@hpe.com>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Jan Lühr <jan@jluehr.de>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
  - From: Jan Lühr <jan@jluehr.de>

Prev by Date: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
Next by Date: timing of PHP 5.6 security updates
Previous by thread: Re: CVE-2016-7117 Remote code execution vulnerability in kernel networking subsystem
Next by thread: timing of PHP 5.6 security updates
Index(es):
- Date
- Thread