2011-02-15 22:46, Kelly Dean skrev:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
fixed, or does it have the vulnerability?
To begin with: I do not know if the kernel in squeeze is vulnerable.
On <http://packages.debian.org/squeeze/linux-image-2.6.32-5-amd64>, one
can read that for the kernel in squeeze, the package _name_ contains
linux-image-2.6.32-5, whereas the _version_ is 2.6.32-30. None of these
appears to refer to the upstream version number 2.6.32.5, as can be seen
from the changelog at
<http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-30/changelog>,
where I just quote parts of two entries:
linux-2.6 (2.6.32-30) unstable; urgency=high
[...]
* Add stable 2.6.32.28:
[...]
-- Ben Hutchings <b...@decadent.org.uk> Tue, 11 Jan 2011 05:42:11 +0000
linux-2.6 (2.6.32-29) unstable; urgency=high
[...]
* Add stable 2.6.32.27:
[...]
-- Ben Hutchings <b...@decadent.org.uk> Fri, 10 Dec 2010 05:45:11 +0000
The updates to the 2.6.32 kernel thus seems to be incorporated into the
version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable,
but no higher versions of 2.6.32, and as 2.6.32.28 appears to be
incorporated in squeeze, it seems that squeeze might not be vulnerable.
http://security-tracker.debian.org/tracker/status/release/stable
currently says that[...]
I do not know how that page works, so I can not comment on it.
Did Squeeze really get released with a high-urgency remote kernel
vulnerability which was published four months earlier?
I do not know.
/ johan
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/ijg34a$u93$1...@dough.gmane.org
