On Friday 26 August 2016 16:13:09 Mark Fletcher wrote: > On Sat, Aug 27, 2016 at 12:04 AM Perry E. Metzger <pe...@piermont.com> > > wrote: > > According to: > > > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > > > Wheezy and Jessie are still vulnerable. The attack in question is > > kind of bad (it allows blind injection of arbitrary data into > > things like http downloads) and has been known for a few weeks now to > > the general public. > > > > Any idea out there when updates to the kernels in question will be > > released? > > I could have sworn I saw a fix for this sometime last week, as I would only > have become aware of it when the security advisory was published. I built a > new kernel based on 4.7 for my non-debian boxes last weekend, and assumed > the regular updates would take care of Debian. I've long since deleted the > email of course, but I am not sure how I would have even known there was an > issue unless there had been one of the usual mails saying "this issue is > fixed in...". But I agree that is not how the CVE item you linked to makes > it look. Could there be a duplicate, with all the updates on the other one?
The "fix" seems not to have been dealt with yet, but the list has published a workaround at some length in this thread: https://lists.debian.org/msgid-search/slrnnqp80d.67r.cu...@einstein.electron.org These in particular discuss the "solution": https://lists.debian.org/msgid-search/20160811162119.GA19111@e1030 https://lists.debian.org/msgid-search/28cd04df-18a6-caa9-d4ff-b4761c3f7...@gmail.com https://lists.debian.org/msgid-search/slrnnqr3sv.3uk.cu...@einstein.electron.org Lisi