On Wed, 29 Jul 2009 22:00:46 +0200, Francesco Poli wrote: > Hi all! > > I found another vulnerability in the tracker that shows up as fixed in > lenny, and as unfixed in squeeze, despite the package version is the > *same* in the two branches. > > http://security-tracker.debian.net/tracker/CVE-2009-2584
fixed. i keep overlooking squeeze when i do these updates. i will force myself to remember next time. > BTW, the fix seems to be > http://lkml.org/lkml/2009/7/20/348 > which, IIUC, has not yet been applied to the upstream mainline kernel > > I haven't even found a Debian BTS bug report: should an important (?) > bug be filed? the vulnerable code was introduced after 2.6.26, so only unstable's kernel is affected. the kernel-sec team is aware and tracking the problem, so a report is not necessary. mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
