[kernel-sec-discuss] r717 - active

Dann Frazier dannf at alioth.debian.org
Tue Mar 20 05:44:33 CET 2007 

Author: dannf
Date: 2007-03-20 04:44:33 +0000 (Tue, 20 Mar 2007)
New Revision: 717

Modified:
   active/CVE-2006-5701
   active/CVE-2006-5753
   active/CVE-2007-1000
Log:
status updates and notes

Modified: active/CVE-2006-5701
===================================================================
--- active/CVE-2006-5701	2007-03-19 07:24:40 UTC (rev 716)
+++ active/CVE-2006-5701	2007-03-20 04:44:33 UTC (rev 717)
@@ -17,6 +17,12 @@
  Ubuntu kernels have squashfs patch; not sure about Debian's.
  dannf> Debian's do not, but we do have a kernel-patch-squashfs package
  dannf> Marking upstream N/A, because this isn't an upstream feature
+ dannf> Affects squashfs (1:3.1r2-6) which is currently in etch. I've
+        Verified that the patch in RH bugzilla applies and fixes the bug.
+ dannf> kernel-patch-squashfs applied to a 2.4 kernel does not exhibit
+        this problem. I tested by hexediting the reproducer fs to advertise
+        v2 since v3 is not supported in sarge, which may have just masked
+        the problem.
 Bugs: 
 upstream: N/A
 linux-2.6: 

Modified: active/CVE-2006-5753
===================================================================
--- active/CVE-2006-5753	2007-03-19 07:24:40 UTC (rev 716)
+++ active/CVE-2006-5753	2007-03-20 04:44:33 UTC (rev 717)
@@ -16,8 +16,8 @@
 Notes: 
 Bugs: 
 upstream: released (2.6.20-rc5)
-linux-2.6:
-2.6.18-etch-security: needed
+linux-2.6: 
+2.6.18-etch-security: pending (2.6.18.dfsg.1-11etch1) [bugfix/listxattr-mem-corruption.patch]
 2.6.8-sarge-security: needed
 2.4.27-sarge-security: 
 2.6.12-breezy-security: released (2.6.12-10.43)

Modified: active/CVE-2007-1000
===================================================================
--- active/CVE-2007-1000	2007-03-19 07:24:40 UTC (rev 716)
+++ active/CVE-2007-1000	2007-03-20 04:44:33 UTC (rev 717)
@@ -5,11 +5,12 @@
 Description: 
 Ubuntu-Description: 
 Notes: 
+ dannf> function doesn't exist in 2.6.8 - wtarreau says 2.4 isn't vulnerable
 Bugs: 
-upstream: 
+upstream: released (2.6.21-rc4)
 linux-2.6: 
-2.6.18-etch-security: 
-2.6.8-sarge-security: 
+2.6.18-etch-security: pending (2.6.18.dfsg.1-11etch1) [bugfix/ipv6_getsockopt_sticky-null-opt.patch]
+2.6.8-sarge-security: N/A
 2.4.27-sarge-security: N/A
 2.6.12-breezy-security: 
 2.6.15-dapper-security:

More information about the kernel-sec-discuss mailing list