On Wed, Aug 10, 2005 at 12:04:05PM +0200, Christoph Hellwig wrote: > On Wed, Aug 10, 2005 at 11:47:12AM +0200, Moritz Muehlenhoff wrote: > > Horms wrote: > > > As for which package to log a bug against, or cretion of duplicate bugs. > > > To be honest it doesn't matter. If you email > > > [email protected], then you should get a response, > > > regardless of if you open a bug in the BTS or not. > > > CCing [email protected] if its a bug testing > > > and [EMAIL PROTECTED] if its a bug instable is also a good idea. > > > > > > When we find problems, we just fix them. The BTS is really a bit to > > > noisy for us to use it to track bugs effectively. Obviously this > > > is a bit of a problem, but what I am trying to say is adding a bug > > > to the BTS just emails debian-kernel anyway, and security bugs > > > sent there are acted on. So my my advice is tho email the addresses > > > above, and if you want to open a bug, just open it against any > > > of the above packages that have the vulnerability. > > > > Hi Horms, > > there has been a CVE assignment for an overflow in xdr.c, which can be > > exploited by crafted data in the nfsacl protocol: CAN-2005-2500 > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2500 > > for some links to patches. I suspect it is already fixed in kernel-2.6, > > but 2.6.8 and 2.4.27 might need backports. > > No, nfsacl has only been added very recently and is not present in 2.4.x > or 2.6.8.
Thanks Christoph, I have confirmed that this code isn't present in the 2.6.8 or 2.4.27 debian kernels. -- Horms -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
