[Secure-testing-team] DTSA for 2.6.8 and 2.4.27

Moritz Muehlenhoff jmm at inutil.org
Fri Sep 9 13:25:33 UTC 2005 

Micah Anderson wrote:
> > Micah Anderson wrote:
> > > Neither of these advisories is a typical DTSA, as we normally we only do
> > > advisories for things that are blocked from reaching testing by some other
> > > issue, but I think that it would be good to do these two advisories because
> > > of the sheer number of security holes fixed as well as the necessary upgrade
> > > path that people need to take if they wish to maintain the integrity of
> > > their machines.
> > 
> > Good idea, but I'd suggest to make a clean-sweep run over all kernel
> > issues before. Some entries definitely need updating, (wrt to 2.4/2.6
> 
> You mean cross reference all the entries in CAN/list to make sure there
> isn't anything missing or still has a TODO label?

This as well, but there are also some entries, which are only marked
vulnerable as 2.4, which also apply to 2.6, e.g. CAN-2005-2800 and 2801.
And vice versa possibly as well. We should double check them with the
debian kernel SVN.

> > Also several more issues should receive a CVE mapping.
> 
> What do you refer to here? 

CAN-2005-XXXX [Four potentially DoS exploitable deadlocks and leaks in
kernel 2.6]
        - linux-2.6 2.6.12-6 (low)
CAN-2005-XXXX [DoS by removal of default ACLs in ext2/ext3]

> I was thinking that the issues that do not have CVE numbers should possibily
> be submitted so that they do, although I'm not sure how long that will take
> and if it is worth holding up an advisory.

Half a day, I can request the rest of the missing ones tomorrow.

> > Wrt keeping a complete history we should also move the entries based on
> > older kernel-source packages to linux-2.6, as this will be the new
> > permanent source package for 2.6 kernels.
> 
> I'm not following you here -- do you mean change all the entries in CAN/list
> that are for kernel-source-#.#.# to be linux-2.6?

Yes.

> If so, why?

To preserve a complete history of security issues for the kernels.
linux-2.6 will be the new permanent source package and if someone wants
to check the state of a vulnerability for he shouldn't be referred to
a kernel-source package that is no longer in the archive, but instead
have the information from which point in time it is fixed in linux-2.6.
(Practically 2.6.12-1 for almost all vulnerabilities).

Cheers,
         Moritz

More information about the Secure-testing-team mailing list