In <[🔎] 20110509043430.GA1984@cox.net>, Robert Holtzman wrote: >On Sun, May 08, 2011 at 10:08:31PM +0200, Florian Weimer wrote: >> * Kelly Dean: >> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was >> > published Sept 30, 2010, and says that Linux 2.6.32.5 is >> > vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is >> > Squeeze's kernel fixed, or does it have the vulnerability? >> >> According to our records, this issue was addressed in version >> 2.6.32-31 of the linux-2.6 package, which is also the version >> currently in sqeeze. > >If so, why is my squeeze installation, fully updated, showing 2.6.32-5? Because you don't understand Debian kernel packaging. % apt-cache policy linux-image-2.6.32-5-amd64 linux-image-2.6.32-5-amd64: Installed: 2.6.32-31 Candidate: 2.6.32-31 Version table: 2.6.32-34 0 850 http://127.0.0.1/debian/ squeeze-proposed-updates/main amd64 Packages *** 2.6.32-31 0 900 http://127.0.0.1/debian/ squeeze/main amd64 Packages 100 /var/lib/dpkg/status The package name is "linux-image-2.6.32-5-amd64"; the package version is "2.6.32-31"; the .deb file would be named "linux-image-2.6.32-5- amd64_2.6.32-31.deb". For normal (i.e. non-meta-) packages: The package name is (currently) of the form "linux-image-$upstream_version-$ABI_version-$arch"; the package version is "$upstream_version-$debian_version" -- like most other packages. Part of the version is in the package name to allow for co-installation. A similar naming is used for shared libraries for the same purpose. Depending on upstream support (and maintainer support) for co-installation, all or part of the version string may be included in package, directory, and file names. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.