Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

[Johan Grönqvist <johan.gronqvist@gmail.com>]

2011-02-15 22:46, Kelly Dean skrev:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
> fixed, or does it have the vulnerability?

To begin with: I do not know if the kernel in squeeze is vulnerable.


On <http://packages.debian.org/squeeze/linux-image-2.6.32-5-amd64>, one 
can read that for the kernel in squeeze, the package _name_ contains 
linux-image-2.6.32-5, whereas the _version_ is 2.6.32-30. None of these 
appears to refer to the upstream version number 2.6.32.5, as can be seen 
from the changelog at 
<http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-30/changelog>, 
where I just quote parts of two entries:


linux-2.6 (2.6.32-30) unstable; urgency=high
  [...]
  * Add stable 2.6.32.28:
  [...]
 -- Ben Hutchings <ben@decadent.org.uk>  Tue, 11 Jan 2011 05:42:11 +0000


linux-2.6 (2.6.32-29) unstable; urgency=high
[...]
   * Add stable 2.6.32.27:
[...]
 -- Ben Hutchings <ben@decadent.org.uk>  Fri, 10 Dec 2010 05:45:11 +0000


The updates to the 2.6.32 kernel thus seems to be incorporated into the 
version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable, 
but no higher versions of 2.6.32, and as 2.6.32.28 appears to be 
incorporated in squeeze, it seems that squeeze might not be vulnerable.


> http://security-tracker.debian.org/tracker/status/release/stable
> currently says that[...]

I do not know how that page works, so I can not comment on it.

> Did Squeeze really get released with a high-urgency remote kernel
> vulnerability which was published four months earlier?

I do not know.

/ johan