On 2016-03-21 19:16:24, Brian May wrote: > Brian May <b...@debian.org> writes: > >>> Wonder how many of the CVEs the Ubuntu version fixes. >> >> Will have a look at this now. > > Comparing the changelog with our security tracker (by hand; not sure if > anybody has written a tool to automate this, if not might be a good > idea):
I am not aware of any such tool. How did you do the following comparison - by hand? > Not fixed in backported Ubuntu precise version 4.1.6.1-0ubuntu0.12.04.10: > - CVE-2014-5146 (marked No DSA) > - CVE-2014-5149 (marked No DSA) > - CVE-2014-8104 (marked vulnerable; description says "Linux kernel > through 4.2.6" not sure if this means it is fixed or broken by 4.2.6) > - CVE-2014-8341 (marked No DSA) 2014-8104 is probably a typo, as it concerns OpenVPN according to the security tracker. You probably mean CVE-2015-8104... I'll look at what that one implies specifically. > Fixed in backported Ubuntu precise version 4.1.6.1-0ubuntu0.12.04.10: > - CVE-2015-2152 / XSA-119 > - CVE-2015-2752 / XSA-125 > - CVE-2015-2756 / XSA-126 > - CVE-2015-3259 / XSA-137 > - CVE-2015-5165 / XSA-140 > - CVE-2015-5307 / XSA-156 > - CVE-2015-7504 / XSA-162 (not in Debian security tracker) > - CVE-2015-7969 / XSA-149 > - CVE-2015-7970 / XSA-150 > - CVE-2015-7971 / XSA-152 > - CVE-2015-7972 / XSA-153 > - CVE-2015-8339, CVE-2015-8340 / XSA-159 > - CVE-2015-8550 / XSA-155 > - CVE-2015-8554 / XSA-164 > - CVE-2015-8555 / XSA-165 > - TEMP-0000000-CE3B44 / XSA-166 > - CVE-2016-1570 / XSA-167 > - CVE-2016-1571 / XSA-168 > - CVE-2016-2270 / XSA-154 > - CVE-2016-2271 / XSA-170 That is an impressive list, and it does seem like we should merge our efforts with Ubuntu here! I was thinking that maybe there should be an announcement of the release switch, but looking at the release notes of 4.1.5 and 4.1.6, it seems just logical to follow those directly: http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-4161.html http://www.xenproject.org/downloads/xen-archives/supported-xen-41-series/xen-415.html ... only bugfixes and CVEs there. -- I've got to design so you can put it together out of garbage cans. In part because that's what I started from, but mostly because I don’t trust the industrial structure—they might decide to suppress us weirdos and try to deny us the parts we need. - Lee Felsenstein
