20/03/14 12:07, intrigeri wrote: > Hi, > > (stealing the RM hat for a short while, by initiating this discussion. > anonym, I'll let you take care of bringing this to a conclusion.) > > if we don't do anything special, then we'll release Tails 1.0 with the > same kernel (3.12) as 0.23. Given 1.0 will be a point-release, this > looks like the lower-risk path. > > OTOH, Debian testing has had 3.13 for a week, and might even be > upgraded to 3.14 by the Tails 1.0 freeze. I have not checked, but > these Linux updates most likely include security fixes. > > So, I'm unsure what we should do. > > Does anyone (anonym?) want to have a look at the security-related > changes in 3.13, so that we have some more data in hand to make > a decision?
Looking at the Debian changelog for the Linux kernel it seems only these changes have CVE:s: * nfqueue: Orphan frags in nfqnl_zcopy() and handle errors (CVE-2014-2568) * cifs: ensure that uncached writes handle unmapped areas correctly (CVE-2014-0069) * kvm: x86: fix emulator buffer overflow (CVE-2014-0049) * net: fix for a race condition in the inet frag code (CVE-2014-0100) * net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable (CVE-2014-0101) * KEYS: Make the keyring cycle detector ignore other keyrings of the same name (CVE-2014-0102) * skbuff: skb_segment: orphan frags before copying (CVE-2014-0131) * ipv6: don't set DST_NOCOUNT for remotely added routes (CVE-2014-2309) Another good resource is <http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html> where we can see CVE:s not fixed in any Debian kernel yet as well. Cheers! _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
