Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: debian-security@lists.debian.org
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: Michael Stone <mstone@debian.org>
Date: Thu, 13 Oct 2016 14:35:36 -0400
Message-id: <[🔎] 3fc202d2-9173-11e6-9b6a-00163eeb5320@msgid.mathom.us>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 6ca3f98cbfa17cdc41760edaba19229e.webmail@localhost>
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost> <[🔎] slrnnvq0pp.grj.jmm@inutil.org> <[🔎] e13649a450ef6829f1f4d38cd6051e8d.webmail@localhost> <[🔎] 20161011210128.GA22554@inutil.org> <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost> <[🔎] 25fba864-908b-11e6-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 6ca3f98cbfa17cdc41760edaba19229e.webmail@localhost>

On Thu, Oct 13, 2016 at 02:45:29PM -0000, te3d4q@sigaint.org wrote:

As you asked me for a specific case, may I bring up CVE-2016-5696.

A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.
https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758)

Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security)

Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.

Are there reasons for the 23-day delay in providing end-users the patch?

I don't know the specifics of this one but kernel updates are generallykind of a mess and in this case we're talking about an issue thatbasically boils down to a DoS for internet-facing hosts and for whichthere existed a mitigation. I'm personally not too concerned about thetimeline.

Mike Stone

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org

Prev by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread