On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote: > I've looked through the upstream repository for the patches that fix he > recently announced issues. Quite a few of them turned out not to apply > to squeeze, or the newer stable releases, and I've updated the security > tracker accordingly. > > I backported the remaining fixes as best I can, and uploaded the source > package to: > https://people.debian.org/~benh/packages/squeeze-lts/ > > Would you be willing to review this package? > > I noticed that you entirely reverted the upstream patch that was > supposed to fix CVE-2015-7704 and -7705, and then applied a different > fix for -7704. I think this means -7705 isn't fixed in sid, though the > security tracker currently says it is. Who's right?
I can't seem to ge getting much information out of anything from upstream. Lots of things don't seem to be affecting the 4.2.6 version. >From what I currently understand the following don't apply to the 4.2.6 versions: CVE-2015-5196 CVE-2015-7848 CVE-2015-7849 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 (unless you patch it first) You seem to be right that we're affected by CVE-2015-7705 now, which redhat also doesn't seem to have fixed because they don't enable rate limiting. I actually enabled this in 4.2.8p3+dfsg-1 for some reason. Kurt