Re: Any idea when CVE-2016-5696 is going to get fixed?

To: debian-user@lists.debian.org
Subject: Re: Any idea when CVE-2016-5696 is going to get fixed?
From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
Date: Mon, 29 Aug 2016 01:08:45 -0400
Message-id: <[🔎] 20160829010845.470a2ec8@playground>
In-reply-to: <[🔎] CAH6Gj5G39Q5ToHMM2CnqZ+R0jBLoON1_PTCXTGvfcJVzR5s3Sg@mail.gmail.com>
References: <[🔎] 20160826110404.1b37404c@jabberwock.cb.piermont.com> <[🔎] 5060690.9LVmn1GhN0@marchal> <[🔎] 20160826231123.27d3ed7a@jabberwock.cb.piermont.com> <[🔎] 3202748.sLeuH4ZFGU@marchal> <[🔎] 20160828175710.27826b6d@playground> <[🔎] CAH6Gj5G39Q5ToHMM2CnqZ+R0jBLoON1_PTCXTGvfcJVzR5s3Sg@mail.gmail.com>

On Mon, 29 Aug 2016 03:43:15 +0000
Mark Fletcher <mark27q1@gmail.com> wrote:

> Version 4.7 of the kernel contains a fix, which only required changes to
> one source file, so I assume it's a question of back porting that fix into
> the Jessie version of the kernel. I might take a look at trying that and
> submit a patch if I can get it to work. (Now watch me trip over a dozen
> issues I didn't think of when I try this)

Greg K-H backported the fix(es) to 3.14.76. And a fix to the fix in 3.14.77. And Ben H. has the patch in 3.16.37, which is likely closer to what you need). The patches involve increasing the limit to 1000 ± some random factor, and per-socket rate limiting. It shouldn't be *too* difficult to backport that patch to Debian's kernel.

Reply to:

Follow-Ups:
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Perry E. Metzger" <perry@piermont.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Frederic Marchal <frederic.marchal@wowtechnology.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Perry E. Metzger" <perry@piermont.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Frederic Marchal <frederic.marchal@wowtechnology.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Mark Fletcher <mark27q1@gmail.com>

Prev by Date: Re: Any idea when CVE-2016-5696 is going to get fixed?
Next by Date: Re: Any idea when CVE-2016-5696 is going to get fixed?
Previous by thread: Re: Any idea when CVE-2016-5696 is going to get fixed?
Next by thread: Re: Any idea when CVE-2016-5696 is going to get fixed?
Index(es):
- Date
- Thread