Re: Any idea when CVE-2016-5696 is going to get fixed?

On Mon, 29 Aug 2016 23:39:01 +0100 Lisi Reisz sent: > On Monday 29 August 2016 22:44:52 deloptes wrote: > > Crazy but fact. IMHO people try to convince themself it will never > > happen (to them). I would like to know why and how one could deal > > with such line of argumentation. > > You

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Monday 29 August 2016 22:44:52 deloptes wrote: > Crazy but fact. IMHO people try to convince themself it will never happen > (to them). I would like to know why and how one could deal with such line > of argumentation. You can't. I live with it! I now just say: please, please, please, if you

Re: Any idea when CVE-2016-5696 is going to get fixed?

Perry E. Metzger wrote: > I don't get why everyone wants to argue that a problem that is known > to be bad and is fixed in the kernel versions released by the kernel > maintainers should be ignored. I'm asking myself the same, but I'm not psychotherapist to be able to answer. For instance a

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Mon, 29 Aug 2016 19:30:11 +0200 "Thomas Schmitt" wrote: > Hi, > > Gene Heskett wrote: > > Normally security things are pushed right on thru particularly > > when they are a one file changed in the whole kernel source > > tree. Why not this time? > > I guess because it

Re: Any idea when CVE-2016-5696 is going to get fixed?

Hi, Gene Heskett wrote: > Normally security things are pushed right on thru particularly > when they are a one file changed in the whole kernel source tree. Why > not this time? I guess because it is easy to work around https://access.redhat.com/security/vulnerabilities/challengeack and

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Monday 29 August 2016 12:11:27 Perry E. Metzger wrote: > On Mon, 29 Aug 2016 11:55:03 +0100 Tixy wrote: > > On Sun, 2016-08-28 at 15:36 -0400, Perry E. Metzger wrote: > > > On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal > > > > [...] > > > > > > Even if the requirements

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Mon, 29 Aug 2016 07:25:42 +0200 Salvatore Bonaccorso wrote: > The issue is already been worked on by Ben for all versions in sid, > jessie (and wheezy lts): > > sid: > https://anonscm.debian.org/cgit/kernel/linux.git/commit/?h=sid=7184d7bfd94443b6403d71da639ec390224af594 >

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Mon, 29 Aug 2016 11:55:03 +0100 Tixy wrote: > On Sun, 2016-08-28 at 15:36 -0400, Perry E. Metzger wrote: > > On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal > [...] > > > > > > Even if the requirements are met, the attack fails if the > > > client is protected by a

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Sun, 2016-08-28 at 15:36 -0400, Perry E. Metzger wrote: > On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal [...] > > > > Even if the requirements are met, the attack fails if the client is > > protected by a stateful firewall (either on a NAT router, modem or > > computer). > > So

Re: Any idea when CVE-2016-5696 is going to get fixed?

Hi, On Mon, Aug 29, 2016 at 01:08:45AM -0400, Neal P. Murphy wrote: > On Mon, 29 Aug 2016 03:43:15 + > Mark Fletcher wrote: > > > Version 4.7 of the kernel contains a fix, which only required changes to > > one source file, so I assume it's a question of back porting

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Mon, 29 Aug 2016 03:43:15 + Mark Fletcher wrote: > Version 4.7 of the kernel contains a fix, which only required changes to > one source file, so I assume it's a question of back porting that fix into > the Jessie version of the kernel. I might take a look at trying

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Mon, 29 Aug 2016 at 10:21, Neal P. Murphy wrote: > On Sun, 28 Aug 2016 14:35:01 +0200 > Frederic Marchal wrote: > > > The attack is also useless if the attacker can't spoof the source IP > > address. Routers in corporate

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal wrote: > The attack is also useless if the attacker can't spoof the source IP > address. Routers in corporate environments usually block this by design or > due to VLAN. For that reason, the attack can't

Re: Any idea when CVE-2016-5696 is going to get fixed?

Perry E. Metzger wrote: > The hole needs to be fixed. AMEN

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal wrote: > The requirements are: > > * TCP connection, > * long-lived, > * unencrypted, > * long silences. > > I'll add that the protocol must allow the server to initiate data > sending with only one packet

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Friday 26 August 2016 23:11:23 Perry E. Metzger wrote: > On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal > > wrote: > > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote: > > > According to: > > > > > >

Re: Any idea when CVE-2016-5696 is going to get fixed?

"John T. Haggerty" writes: > On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger > wrote: > >On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal > wrote: > > > The download must be long > > enough (more

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Fri, Aug 26, 2016 at 9:11 PM, Perry E. Metzger wrote: > On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal > wrote: > > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote: > > > According to: > > > > > >

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Fri, 26 Aug 2016 21:06:15 +0200 Frederic Marchal wrote: > On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote: > > According to: > > > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > > > Wheezy and Jessie are still vulnerable. The

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote: > According to: > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > Wheezy and Jessie are still vulnerable. The attack in question is > kind of bad (it allows blind injection of arbitrary data into > things like http

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Fri, 26 Aug 2016 17:34:39 +0100 Lisi Reisz wrote: > The "fix" seems not to have been dealt with yet, but the list has > published a workaround at some length in this thread: Updated kernels have been announced and released by the kernel folks at this point. (See, for

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Friday 26 August 2016 16:13:09 Mark Fletcher wrote: > On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger > > wrote: > > According to: > > > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > > > Wheezy and Jessie are still vulnerable. The attack in question is >

Re: Any idea when CVE-2016-5696 is going to get fixed?

On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger wrote: > According to: > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > Wheezy and Jessie are still vulnerable. The attack in question is > kind of bad (it allows blind injection of arbitrary data into >

Any idea when CVE-2016-5696 is going to get fixed?

According to: https://security-tracker.debian.org/tracker/CVE-2016-5696 Wheezy and Jessie are still vulnerable. The attack in question is kind of bad (it allows blind injection of arbitrary data into things like http downloads) and has been known for a few weeks now to the general public. Any