On Mon, May 18, 2009 at 03:15:59PM -0400, Michael S. Gilbert wrote: > Package: linux-2.6 > Version: 2.6.26 > Severity: important > Tags: security patch > > Hi, > > The following CVE (Common Vulnerabilities & Exposures) id was > published for linux-2.6. > > CVE-2009-1360[0]: > | The __inet6_check_established function in net/ipv6/inet6_hashtables.c > | in the Linux kernel before 2.6.29, when Network Namespace Support (aka > | NET_NS) is enabled, allows remote attackers to cause a denial of > | service (NULL pointer dereference and system crash) via vectors > | involving IPv6 packets. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. > > Note that the kernel changelog says that this vulnerability was > introduced in 2.6.27; however, I've checked and found that the 2.6.26 > code is identical to vulnerable 2.6.27 code. Hence, it is my > assessment that 2.6.26 is affected as well.
Wasn't this introduced in de0744a (post-2.6.26)? Also note that this is only an issue with NET_NS enabled. NET_NS is not enabled for etch/lenny kernels, as this feature was marked EXPERIMENTAL in those releases. Though we do make a best effort for users building kernels from our source but w/ a custom config, EXPERIMENTAL options are explicitly noted as being unsupported. -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org