Hello, Johan Grönqvist a écrit : > 2011-02-15 22:46, Kelly Dean skrev: >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was >> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. >> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel >> fixed, or does it have the vulnerability? > > To begin with: I do not know if the kernel in squeeze is vulnerable. [...] > <http://packages.debian.org/changelogs/pool/main/l/linux-2.6/linux-2.6_2.6.32-30/changelog>, > > where I just quote parts of two entries: > > linux-2.6 (2.6.32-30) unstable; urgency=high > [...] > * Add stable 2.6.32.28: > [...] > -- Ben Hutchings <b...@decadent.org.uk> Tue, 11 Jan 2011 05:42:11 +0000 [...] > The updates to the 2.6.32 kernel thus seems to be incorporated into the > version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable, > but no higher versions of 2.6.32, and as 2.6.32.28 appears to be > incorporated in squeeze, it seems that squeeze might not be vulnerable.
I do not know if 2.6.32 was vulnerable either, but looking at upstream kernel changelogs it seems that the fix was not backported to any upstream -stable (now -longterm) release older than 2.6.35, including 2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d5b98b0.7080...@plouf.fr.eu.org
