On 7/5/09, Francesco Poli wrote: > http://security-tracker.debian.net/tracker/CVE-2007-6514 > commit ??? > applied to upstream version ??? > see ??? > fix present in upstream version 2.6.30: I don't know > help! the CVE mitre page does not link to any fix, it seems
the attack vector for this one is so obscure: the worst that can happen is disclosure of scripts hosted on an apache server serving those scripts, and only if those scripts are on a windows share. i'd almost be inclined to say no-dsa for this one (or issue a dsa that says don't host your apache scripts on a windows share). it's hardly worth worrying about. > http://security-tracker.debian.net/tracker/CVE-2008-6107 > commit 94d149c34cda933ff5096aca94bb23bf68602f4e > applied to upstream version 2.6.26 > see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26 > fix present in upstream version 2.6.26: yes > fix present in upstream version 2.6.30: it seems to be present 94d149c34cda933ff5096aca94bb23bf68602f4e looks to be for CVE-2008-1673, so i disagree here. > http://security-tracker.debian.net/tracker/CVE-2009-0029 > commit ??? > applied to upstream version ??? > see ??? > fix present in upstream version 2.6.30: I don't know > help! the CVE mitre page links to this lkml message from Linus > Torvalds, who seems to discuss about some aspect, but where's > the fix? > http://marc.info/?l=linux-kernel&m=123155111608910&w=2 patches are here: https://bugzilla.redhat.com/show_bug.cgi?id=479969. this one is a mess. it's highly likely in 2.6.30, but it's going to take some work to confirm this. > http://security-tracker.debian.net/tracker/CVE-2009-1914 > commit 192d7a4667c6d11d1a174ec4cad9a3c5d5f9043c > applied to upstream version 2.6.29 > see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.29 > fix present in upstream version 2.6.30: yes confirmed. > http://security-tracker.debian.net/tracker/CVE-2009-1961 > commit 7bfac9ecf0585962fe13584f5cf526d8c8e76f17 > applied to upstream version 2.6.30 > see http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30 > fix present in upstream version 2.6.30: yes this code has been significantly refactored, so i can't confirm this. > http://security-tracker.debian.net/tracker/CVE-2009-2287 > commit 59839dfff5eabca01cc4e20b45797a60a80af8cb > applied to upstream version [none yet] > see [no changelog] > fix present in upstream version 2.6.30: no this is probably already commited to 2.6.31 and will need to be backported. thanks so much for helping out with this triage. it was imensely helpful. cheers, mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
