Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: debian-security@lists.debian.org
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 18 Oct 2016 22:21:30 +0200
Message-id: <[🔎] 87inspz9v9.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 3fc202d2-9173-11e6-9b6a-00163eeb5320@msgid.mathom.us> (Michael Stone's message of "Thu, 13 Oct 2016 14:35:36 -0400")
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost> <[🔎] slrnnvq0pp.grj.jmm@inutil.org> <[🔎] e13649a450ef6829f1f4d38cd6051e8d.webmail@localhost> <[🔎] 20161011210128.GA22554@inutil.org> <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost> <[🔎] 25fba864-908b-11e6-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 6ca3f98cbfa17cdc41760edaba19229e.webmail@localhost> <[🔎] 3fc202d2-9173-11e6-9b6a-00163eeb5320@msgid.mathom.us>

* Michael Stone:

> On Thu, Oct 13, 2016 at 02:45:29PM -0000, te3d4q@sigaint.org wrote:
>>As you asked me for a specific case, may I bring up CVE-2016-5696.
>>
>>A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
>>Eric Dumazet (cf.
>>https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758)
>>
>>Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
>>https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security)
>>
>>Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.
>>
>>Are there reasons for the 23-day delay in providing end-users the patch?
>
> I don't know the specifics of this one but kernel updates are
> generally kind of a mess and in this case we're talking about an issue
> that basically boils down to a DoS for internet-facing hosts and for
> which there existed a mitigation. I'm personally not too concerned
> about the timeline. 

Right.  Debian kernel updates can only be applied with a reboot.  If
we publish a kernel update, its mere availability may put some of our
users out of compliance with their policies, which is why we batch
these updates.

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread