On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger <pe...@piermont.com> wrote:
> According to: > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > Wheezy and Jessie are still vulnerable. The attack in question is > kind of bad (it allows blind injection of arbitrary data into > things like http downloads) and has been known for a few weeks now to > the general public. > > Any idea out there when updates to the kernels in question will be > released? > > I could have sworn I saw a fix for this sometime last week, as I would only have become aware of it when the security advisory was published. I built a new kernel based on 4.7 for my non-debian boxes last weekend, and assumed the regular updates would take care of Debian. I've long since deleted the email of course, but I am not sure how I would have even known there was an issue unless there had been one of the usual mails saying "this issue is fixed in...". But I agree that is not how the CVE item you linked to makes it look. Could there be a duplicate, with all the updates on the other one? Mark