Re: Any idea when CVE-2016-5696 is going to get fixed?
On Friday 26 August 2016 16:13:09 Mark Fletcher wrote:
> On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger <perry@piermont.com>
>
> wrote:
> > According to:
> >
> > https://security-tracker.debian.org/tracker/CVE-2016-5696
> >
> > Wheezy and Jessie are still vulnerable. The attack in question is
> > kind of bad (it allows blind injection of arbitrary data into
> > things like http downloads) and has been known for a few weeks now to
> > the general public.
> >
> > Any idea out there when updates to the kernels in question will be
> > released?
>
> I could have sworn I saw a fix for this sometime last week, as I would only
> have become aware of it when the security advisory was published. I built a
> new kernel based on 4.7 for my non-debian boxes last weekend, and assumed
> the regular updates would take care of Debian. I've long since deleted the
> email of course, but I am not sure how I would have even known there was an
> issue unless there had been one of the usual mails saying "this issue is
> fixed in...". But I agree that is not how the CVE item you linked to makes
> it look. Could there be a duplicate, with all the updates on the other one?
The "fix" seems not to have been dealt with yet, but the list has published a
workaround at some length in this thread:
[🔎] slrnnqp80d.67r.curty@einstein.electron.org">https://lists.debian.org/msgid-search/[🔎] slrnnqp80d.67r.curty@einstein.electron.org
These in particular discuss the "solution":
[🔎] 20160811162119.GA19111@e1030">https://lists.debian.org/msgid-search/[🔎] 20160811162119.GA19111@e1030
[🔎] 28cd04df-18a6-caa9-d4ff-b4761c3f7dd7@gmail.com">https://lists.debian.org/msgid-search/[🔎] 28cd04df-18a6-caa9-d4ff-b4761c3f7dd7@gmail.com
[🔎] slrnnqr3sv.3uk.curty@einstein.electron.org">https://lists.debian.org/msgid-search/[🔎] slrnnqr3sv.3uk.curty@einstein.electron.org
Lisi
Reply to: