Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
On 2011-02-15, Kelly Dean <kellydeanch@yahoo.com> wrote:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel fixed, or does it have the vulnerability?
My interpretation of the overview provided by the NVD is that the
vulnerability applies only to XFS, and can only be exploited by
authenticated users. But I would be interested to hear the opinions of
more knowledgeable users.
>
> http://security-tracker.debian.org/tracker/status/release/stable currently says that "the stable" suite has the vulnerability, and Squeeze is currently the latest stable, but the page doesn't explicitly say that Squeeze is the latest stable and has the vulnerability, and there's no timestamp on the page. The last-modified header appears to have the common bug of reporting the server's current clock time rather than the page's last modified timestamp, so that's useless too.
>
I suspect that the page is dynamically generated, so the last-modified
header will always report the time at which the underlying database
query was executed.
> Did Squeeze really get released with a high-urgency remote kernel vulnerability which was published four months earlier?
>
>
>
>
>
--
Liam O'Toole
Cork, Ireland
Reply to: