Your message dated Tue, 07 Jul 2009 23:47:14 +0100 with message-id <1247006834.21924.1.ca...@deadeye> and subject line Re: Bug#536147: linux-2.6: [regression] CVE-2009-0029 fixed in testing, but not unstable has caused the Debian Bug report #536147, regarding linux-2.6: [regression] CVE-2009-0029 fixed in testing, but not unstable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 536147: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536147 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: linux-2.6 Version: 2.6.30-1 Severity: grave Tags: security Justification: user security hole Hello Debian kernel team! According to the security tracker [1], CVE-2009-0029 is fixed in testing, but not in unstable. It's fixed in testing because it was fixed in a stable (lenny) point release, and stable packages updated in a point release are automatically migrated to testing, whenever the version in testing happens to be older than the updated stable one. [1] http://security-tracker.debian.net/tracker/CVE-2009-0029 Having a fixed package in testing is great, but of course it also means that the vulnerability should be fixed in unstable before the package migrates from unstable to testing, or otherwise a regression will happen! As part of a triage effort [2], I personally tried to understand whether CVE-2009-0029 is already fixed in linux-2.6/2.6.30-1, but I failed [3]. [2] see the following subthread for further details: http://lists.debian.org/debian-security-tracker/2009/07/msg00007.html [3] see especially this message: http://lists.debian.org/debian-security-tracker/2009/07/msg00025.html Please note that I didn't actually test linux-2.6/2.6.30-1 against the vulnerability: I just searched for the link to the supposed fix in the mitre CVE page and with the intension to take a look at the relevant files in linux-2.6_2.6.30.orig.tar.gz, in order to see whether they included the modifications... I am filing this bug report, in order to make sure CVE-2009-0029 is fixed in unstable, before linux-2.6 migrates to testing. Please check whether CVE-2009-0029 is fixed in linux-2.6/2.6.30-1: if the fix is already included, then this bug report may be safely closed. On the other hand, if linux-2.6/2.6.30-1 is vulnerable, then please apply the fix that was used [4] to prepare linux-2.6/2.6.26-13lenny2 and upload a new Debian revision (linux-2.6/2.6.30-2) that fixes the vulnerability. [4] see http://security-tracker.debian.net/tracker/DSA-1749-1 Thanks for all the great job you're doing on the kernel packages!
--- End Message ---
--- Begin Message ---Version: 2.6.29-1 It really isn't that difficult to find this out... Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyousignature.asc
Description: This is a digitally signed message part
--- End Message ---