In <[🔎] 20110509043430.GA1984@cox.net>, Robert Holtzman wrote:
>On Sun, May 08, 2011 at 10:08:31PM +0200, Florian Weimer wrote:
>> * Kelly Dean:
>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
>> > published Sept 30, 2010, and says that Linux 2.6.32.5 is
>> > vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is
>> > Squeeze's kernel fixed, or does it have the vulnerability?
>>
>> According to our records, this issue was addressed in version
>> 2.6.32-31 of the linux-2.6 package, which is also the version
>> currently in sqeeze.
>
>If so, why is my squeeze installation, fully updated, showing 2.6.32-5?
Because you don't understand Debian kernel packaging.
% apt-cache policy linux-image-2.6.32-5-amd64
linux-image-2.6.32-5-amd64:
Installed: 2.6.32-31
Candidate: 2.6.32-31
Version table:
2.6.32-34 0
850 http://127.0.0.1/debian/ squeeze-proposed-updates/main amd64
Packages
*** 2.6.32-31 0
900 http://127.0.0.1/debian/ squeeze/main amd64 Packages
100 /var/lib/dpkg/status
The package name is "linux-image-2.6.32-5-amd64"; the package version is
"2.6.32-31"; the .deb file would be named "linux-image-2.6.32-5-
amd64_2.6.32-31.deb".
For normal (i.e. non-meta-) packages: The package name is (currently) of the
form "linux-image-$upstream_version-$ABI_version-$arch"; the package version
is "$upstream_version-$debian_version" -- like most other packages.
Part of the version is in the package name to allow for co-installation. A
similar naming is used for shared libraries for the same purpose. Depending
on upstream support (and maintainer support) for co-installation, all or part
of the version string may be included in package, directory, and file names.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.