anonym wrote (02 Apr 2014 14:50:51 GMT) :
> Looking at the Debian changelog for the Linux kernel it seems only these
> changes have CVE:s:
Thanks!
I've had a look (details below) and my conclusion is that... I'm
unsure if it's worth taking the risk of introducing regressions in
1.0. Other opinions?
> * nfqueue: Orphan frags in nfqnl_zcopy() and handle errors
> (CVE-2014-2568)
Info leak triggered from the LAN.
> * cifs: ensure that uncached writes handle unmapped areas correctly
> (CVE-2014-0069)
I don't care much about cifs in Tails.
> * kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
Only affects KVM hosts, so n/a.
> * net: fix for a race condition in the inet frag code (CVE-2014-0100)
use-after-free => DoS and "possibly [...] unspecified other impact"
Over ICMP, so generally exploitable only on the LAN.
Requires high CPU load on the attacked system.
This one seems worth fixing.
> * net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
> (CVE-2014-0101)
I don't care much about sctp in Tails.
> * KEYS: Make the keyring cycle detector ignore other keyrings of the
> same name (CVE-2014-0102)
Local users can trigger oops. No big deal.
> * skbuff: skb_segment: orphan frags before copying (CVE-2014-0131)
Info leak triggered from the LAN.
> * ipv6: don't set DST_NOCOUNT for remotely added routes (CVE-2014-2309)
n/a, we block external IPv6.
> Another good resource is
> <http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html>
> where we can see CVE:s not fixed in any Debian kernel yet as well.
FWIW, I was not able to use this web site to give me any
Debian-specific information. The Debian security tracker feels more
useful to me:
https://security-tracker.debian.org/tracker/source-package/linux
Cheers!
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
