Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Johan Grönqvist a écrit :
> 2011-02-15 22:46, Kelly Dean skrev:
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
>> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
>> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
>> fixed, or does it have the vulnerability?
> 
> To begin with: I do not know if the kernel in squeeze is vulnerable.
[...]
> <http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-30/changelog>, 
> where I just quote parts of two entries:
> 
> linux-2.6 (2.6.32-30) unstable; urgency=high
>    [...]
>    * Add stable 2.6.32.28:
>    [...]
>   -- Ben Hutchings <ben@decadent.org.uk>  Tue, 11 Jan 2011 05:42:11 +0000
[...]
> The updates to the 2.6.32 kernel thus seems to be incorporated into the 
> version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable, 
> but no higher versions of 2.6.32, and as 2.6.32.28 appears to be 
> incorporated in squeeze, it seems that squeeze might not be vulnerable.

I do not know if 2.6.32 was vulnerable either, but looking at upstream
kernel changelogs it seems that the fix was not backported to any
upstream -stable (now -longterm) release older than 2.6.35, including
2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is.