Hi all! We'll have to apply a patch for CVE-2012-0946 (access to arbitrary system memory by any user) for cauldron and mga1.
However, the security fix (patch to the nvidia kernel interface layer) will break CUDA debugger using libcuda older than 295.40. While I can upgrade cauldron driver (which contains libcuda) to 295.40, mga1 will be left with two options: a) Apply patch, informing users that CUDA debugger will cease to function unless they upgrade their NVIDIA driver. However, as we have no backports, the remaining (non-system-breaking) option to upgrade their driver is to use http://onse.fi/nvidia-mgabuild/ , but I don't think it is very nice to link to non-official page from an advisory, right? b) Upgrade our MGA1 driver from 275.09.07 to 295.40 ("long-lived branch release") as well. We have previously shipped an update from 270.41.19 to 275.09.07 for MGA1 (that was due to an important stability bugfix). I'm not aware of any blockers for this. I'd probably prefer (a), but since we don't have any official way for users to update their driver, that makes me lean to (b) instead. WDYT? A relatively quick decision needs to be made... -- Anssi Hannula