On Tue, Apr 30, 2013 at 07:49:01PM +0200, Arne Wichmann wrote: > Hi. Just to remind you: there is quite a number of old security problems > open. For most of these fixes are available: > > Problem Fix > CVE-2012-4542 https://lkml.org/lkml/2013/1/24/279
No fix has been agreed upstream. > CVE-2012-2372 https://patchwork.kernel.org/patch/1493571/ No fix has been agreed upstream. rds is not auto-loaded because we already knew it was crap. > CVE-2012-4508 Fixed in unstable, but not in stable I don't remember this one, but it may be too difficult and risky to backport. > CVE-2012-5374 9c52057c698fb96f8f07e7a4bcf4801a092bda89 > CVE-2012-5375 " Unlikely to be fixed. btrfs is a tech preview in both squeeze and wheezy. > CVE-2012-6539 43da5f2e0d0c69ded3d51907d9552310a6b545e8 Fixed in wheezy; pending for squeeze-security. > CVE-2012-6549 fe685aabf7c8c9f138e5ea900954d295bf229175 Pending for wheezy and squeeze-security. > CVE-2013-0343 no good fix, but http://seclists.org/oss-sec/2013/q1/92 > contains some tries and discussion. moreover I am not sure if the problem > is real. It does seem to be a persistent denial of service. Still waiting for a fix to be agreed upstream, though. > CVE-2013-1819 eb178619f930fa2ba2348de332a1ff1c66a31424 Looking unlikely to be fixed. Even an attempt to backport this to 3.7 resulted in a regression. > Is there any chance that these are fixed before wheezy gets stable? There will be no updates to testing/unstable before the release. The pending squeeze-security update wants more testing so probably won't be ready before then either. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130430185750.gj2...@decadent.org.uk
