20/03/14 12:07, intrigeri wrote:
> Hi,
>
> (stealing the RM hat for a short while, by initiating this discussion.
> anonym, I'll let you take care of bringing this to a conclusion.)
>
> if we don't do anything special, then we'll release Tails 1.0 with the
> same kernel (3.12) as 0.23. Given 1.0 will be a point-release, this
> looks like the lower-risk path.
>
> OTOH, Debian testing has had 3.13 for a week, and might even be
> upgraded to 3.14 by the Tails 1.0 freeze. I have not checked, but
> these Linux updates most likely include security fixes.
>
> So, I'm unsure what we should do.
>
> Does anyone (anonym?) want to have a look at the security-related
> changes in 3.13, so that we have some more data in hand to make
> a decision?
Looking at the Debian changelog for the Linux kernel it seems only these
changes have CVE:s:
* nfqueue: Orphan frags in nfqnl_zcopy() and handle errors
(CVE-2014-2568)
* cifs: ensure that uncached writes handle unmapped areas correctly
(CVE-2014-0069)
* kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
* net: fix for a race condition in the inet frag code (CVE-2014-0100)
* net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
(CVE-2014-0101)
* KEYS: Make the keyring cycle detector ignore other keyrings of the
same name (CVE-2014-0102)
* skbuff: skb_segment: orphan frags before copying (CVE-2014-0131)
* ipv6: don't set DST_NOCOUNT for remotely added routes (CVE-2014-2309)
Another good resource is
<
http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html>
where we can see CVE:s not fixed in any Debian kernel yet as well.
Cheers!
