Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

[Florian Weimer <fw@deneb.enyo.de>]

* Kelly Dean:

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> published Sept 30, 2010, and says that Linux 2.6.32.5 is
> vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is
> Squeeze's kernel fixed, or does it have the vulnerability?

According to our records, this issue was addressed in version
2.6.32-31 of the linux-2.6 package, which is also the version
currently in sqeeze.

> http://security-tracker.debian.org/tracker/status/release/stable
> currently says that "the stable" suite has the vulnerability, and
> Squeeze is currently the latest stable, but the page doesn't
> explicitly say that Squeeze is the latest stable and has the
> vulnerability, and there's no timestamp on the page. The
> last-modified header appears to have the common bug of reporting the
> server's current clock time rather than the page's last modified
> timestamp, so that's useless too.

The page is generated dynamically.  The release mapping is the current
one.  The first table, listing packages, also shows the current
versions of the package and whether they are vulnerable or not.
As far as I can tell, all the information you need is there.

> Did Squeeze really get released with a high-urgency remote kernel
> vulnerability which was published four months earlier?

Security bugs are not release blockers because we have process for
fixing them after the release.