On Mon, Mar 15, 2010 at 12:13:06PM -0600, dann frazier wrote: > On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote: > > On 2010-03-15, dann frazier <da...@debian.org> wrote: > > > On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: > > >> I've also been bitten by this bug - noticed it last Friday and it > > >> doesn't seem to be fixed this morning. > > >> > > >> Is there an ETA on a fix with packages? > > > > > > Packages are now available in the security repo (an apt-get upgrade > > > should suffice). > > > > > > I'm hoping to get a CVE ID before sending out a formal DSA. > > > > Why? That should be covered by the CVE ID for the original connector > > security bug. > > Just to make sure we're talking about the same thing... > > One reason for this upload is to deal with the ABI breakage from the > kernel upload which fixed CVE-2009-3725. I agree that no additional > CVE is warranted to deal with that. > > However, as part of fixing this, we discovered that drbd contains a > security issue as well. This issue is in the same class as the issues > covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list > of 4 subsystems it covers, and drbd is not one of them.
Ack. But since the underlying issue is identical I don't think a separate CVE ID is warranted. The CVE description can still be updated later if needed. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315183958.ga4...@galadriel.inutil.org