Hi, On Tue, Oct 04, 2016 at 11:54:12PM +0200, Jan Lühr wrote: > Hello, > Am 10/04/2016 um 07:57 PM schrieb Nicholas Luedtke: > > On 10/04/2016 11:40 AM, Felix Knecht wrote: > > > >> On 10/04/2016 06:38 PM, Jan Lühr wrote: > >>> CVE-2016-7117 was patched in Android today.I don't see much information > >>> right now. The title is rather frightening - the issue appears to be > >>> urgent. > >> The following upstream kernel commit is referenced in the security > >> bulletin: > >> > >> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d > >> > >> No idea if this is fixed in Debian though. > >> > >> Felix > >> > > Looks like it was picked up when Debian rolled to 3.16.36-1. > > Thanks for the info - if Felix is right, then 4.7 (jessie backports) is > secure, since it was released months after the fix was pushed to the > mainline kernel. > > However, it's somewhat strange that a bug labeled "Linux Kernel > Use-After-Free Remote Code Execution Vulnerability", concerning a lot of > kernels released in the last years > (http://www.securityfocus.com/bid/93304) seem to be fixed in android > only. Do you know any details? > > Anyway, using jessie-backports seem to help, thus I'm going for it...
I updated the security-tracker information for CVE-2016-7117: https://security-tracker.debian.org/tracker/CVE-2016-7117 . The fix is as well included in 3.16.36-1. HTH, Regards, Salvatore
