Re: Any idea when CVE-2016-5696 is going to get fixed?

To: debian-user@lists.debian.org
Subject: Re: Any idea when CVE-2016-5696 is going to get fixed?
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 29 Aug 2016 07:25:42 +0200
Message-id: <[🔎] 20160829052542.GA7903@lorien.valinor.li>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20160829010845.470a2ec8@playground>
References: <[🔎] 20160826110404.1b37404c@jabberwock.cb.piermont.com> <[🔎] 5060690.9LVmn1GhN0@marchal> <[🔎] 20160826231123.27d3ed7a@jabberwock.cb.piermont.com> <[🔎] 3202748.sLeuH4ZFGU@marchal> <[🔎] 20160828175710.27826b6d@playground> <[🔎] CAH6Gj5G39Q5ToHMM2CnqZ+R0jBLoON1_PTCXTGvfcJVzR5s3Sg@mail.gmail.com> <[🔎] 20160829010845.470a2ec8@playground>

Hi,

On Mon, Aug 29, 2016 at 01:08:45AM -0400, Neal P. Murphy wrote:
> On Mon, 29 Aug 2016 03:43:15 +0000
> Mark Fletcher <mark27q1@gmail.com> wrote:
> 
> > Version 4.7 of the kernel contains a fix, which only required changes to
> > one source file, so I assume it's a question of back porting that fix into
> > the Jessie version of the kernel. I might take a look at trying that and
> > submit a patch if I can get it to work. (Now watch me trip over a dozen
> > issues I didn't think of when I try this)
> 
> Greg K-H backported the fix(es) to 3.14.76. And a fix to the fix in
> 3.14.77. And Ben H. has the patch in 3.16.37, which is likely closer
> to what you need). The patches involve increasing the limit to 1000
> ± some random factor, and per-socket rate limiting. It shouldn't be
> *too* difficult to backport that patch to Debian's kernel.

The issue is already been worked on by Ben for all versions in sid,
jessie (and wheezy lts):

sid:
https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid&id=7184d7bfd94443b6403d71da639ec390224af594
(but then later just used as with 4.7.2 uploaded yesterday).

jessie:
https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=jessie-security&id=1bd5c3370523e5846019361b33a97c754db76f8d

wheezy:
https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=wheezy-security&id=f383788fb866fc61daf26836bccd92ebf7a6f02f

HTH,

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Perry E. Metzger" <perry@piermont.com>

References:
- Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Perry E. Metzger" <perry@piermont.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Frederic Marchal <frederic.marchal@wowtechnology.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Perry E. Metzger" <perry@piermont.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Frederic Marchal <frederic.marchal@wowtechnology.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: Mark Fletcher <mark27q1@gmail.com>
- Re: Any idea when CVE-2016-5696 is going to get fixed?
  - From: "Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>

Prev by Date: Re: Any idea when CVE-2016-5696 is going to get fixed?
Next by Date: Re: [Rant] The Endless Search for a Mail Client That Doesn't Suck
Previous by thread: Re: Any idea when CVE-2016-5696 is going to get fixed?
Next by thread: Re: Any idea when CVE-2016-5696 is going to get fixed?
Index(es):
- Date
- Thread