Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
Hello,
Johan Grönqvist a écrit :
> 2011-02-15 22:46, Kelly Dean skrev:
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
>> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
>> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
>> fixed, or does it have the vulnerability?
>
> To begin with: I do not know if the kernel in squeeze is vulnerable.
[...]
> <http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-30/changelog>,
> where I just quote parts of two entries:
>
> linux-2.6 (2.6.32-30) unstable; urgency=high
> [...]
> * Add stable 2.6.32.28:
> [...]
> -- Ben Hutchings <ben@decadent.org.uk> Tue, 11 Jan 2011 05:42:11 +0000
[...]
> The updates to the 2.6.32 kernel thus seems to be incorporated into the
> version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable,
> but no higher versions of 2.6.32, and as 2.6.32.28 appears to be
> incorporated in squeeze, it seems that squeeze might not be vulnerable.
I do not know if 2.6.32 was vulnerable either, but looking at upstream
kernel changelogs it seems that the fix was not backported to any
upstream -stable (now -longterm) release older than 2.6.35, including
2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is.
Reply to: