On Mon, 17 Aug 2009 15:36:57 +0200, Jan de Groot wrote: > On Fri, 2009-08-14 at 13:31 -0600, dann frazier wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > - ---------------------------------------------------------------------- > > Debian Security Advisory DSA-1862-1 secur...@debian.org > > http://www.debian.org/security/ dann frazier > > Aug 14, 2009 http://www.debian.org/security/faq > > - ---------------------------------------------------------------------- > > > > Package : linux-2.6 > > Vulnerability : privilege escalation > > Problem type : local > > Debian-specific: no > > CVE Id(s) : CVE-2009-2692 > > > > A vulnerability has been discovered in the Linux kernel that may lead > > to privilege escalation. The Common Vulnerabilities and Exposures project > > identifies the following problem: > > > > CVE-2009-2692 > > > > Tavis Ormandy and Julien Tinnes discovered an issue with how the > > sendpage function is initialized in the proto_ops structure. > > Local users can exploit this vulnerability to gain elevated > > privileges. > > > > For the stable distribution (lenny), this problem has been fixed in > > version 2.6.26-17lenny2. > > There's also a 2.6.26-18 in lenny-proposed-updates which contains some > bugfixes that 2.6.26-17lenny2 doesn't have. The version of this kernel > is higher than this security release, but it doesn't have the security > patch included in this release. What's the future of this kernel in > lenny-proposed-updates, will we see 2.6.26-18lenny1, or will it get > removed? > I don't have problems with "downgrading" to 2.6.26-17lenny2 for now, but > I can imagine some users need the bugfixes in 2.6.26-18 and are still > affected by this bug.
proposed-updates is not supported by the security team. however, patches will certainly get applied there at some point before the next point release; just don't expect that to be done with much urgency. if you are concerned about security, stick with the core package pool. mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org