Re: Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
- From: dann frazier <dannf@xxxxxxxxxx>
- Date: Thu, 17 Feb 2011 16:15:42 -0700
On Wed, Feb 16, 2011 at 07:59:16AM -0200, Henrique de Moraes Holschuh wrote:
On Wed, 16 Feb 2011, Pascal Hambourg wrote:
Johan Grönqvist a écrit :
2011-02-15 22:46, Kelly Dean skrev:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
fixed, or does it have the vulnerability?
...
The updates to the 2.6.32 kernel thus seems to be incorporated into the
version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable,
but no higher versions of 2.6.32, and as 2.6.32.28 appears to be
incorporated in squeeze, it seems that squeeze might not be vulnerable.
I do not know if 2.6.32 was vulnerable either, but looking at upstream
kernel changelogs it seems that the fix was not backported to any
upstream -stable (now -longterm) release older than 2.6.35, including
2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is.
http://security-tracker.debian.org/tracker/CVE-2010-2943
It is supposed to be vulnerable.
I've backported a fix for this, but it was too late to make the
initial release of squeeze. The fix is queued for the first update to
squeeze, see:
http://svn.debian.org/wsvn/kernel-sec/active/CVE-2010-2943
Upstream is sitting on backports of this one for some reason, because it is
not on any stable or longterm kernel as far as I can see.
I forwarded our backport to stable, and it has been tentatively
accepted for the 2.6.32-longterm tree.
RedHat fixed this one:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2943
Ubuntu also did:
http://www.ubuntuupdates.org/packages/show/199704 (Version: 2.6.32-27.49)
yes, but note that backport introduced a regression:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/692848
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/20110217231542.GA27415@xxxxxxxxx
- Follow-Ups:
- Re: Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
- From: Henrique de Moraes Holschuh
- Re: Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
- References:
- How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
- From: Kelly Dean
- Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
- From: Johan Grönqvist
- Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
- From: Pascal Hambourg
- Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
- From: Henrique de Moraes Holschuh
- How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
- Prev by Date: Re: Installing Debian from NFS
- Next by Date: How long has your Lenny -> Squeeze upgrade taken?
- Previous by thread: Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
- Next by thread: Re: Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
- Index(es):
Relevant Pages
|
