'Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?
From:       "Boyd Stephen Smith Jr." <bss () iguanasuicide ! net>
Date:       2011-05-09 6:06:32
Message-ID: 201105090106.32559.bss () iguanasuicide ! net
[Download RAW message or body]

In <20110509043430.GA1984@cox.net>, Robert Holtzman wrote:
>On Sun, May 08, 2011 at 10:08:31PM +0200, Florian Weimer wrote:
>> * Kelly Dean:
>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
>> > published Sept 30, 2010, and says that Linux 2.6.32.5 is
>> > vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is
>> > Squeeze's kernel fixed, or does it have the vulnerability?
>> 
>> According to our records, this issue was addressed in version
>> 2.6.32-31 of the linux-2.6 package, which is also the version
>> currently in sqeeze.
>
>If so, why is my squeeze installation, fully updated, showing 2.6.32-5?

Because you don't understand Debian kernel packaging.

% apt-cache policy linux-image-2.6.32-5-amd64
linux-image-2.6.32-5-amd64:
  Installed: 2.6.32-31
  Candidate: 2.6.32-31
  Version table:
     2.6.32-34 0
        850 http://127.0.0.1/debian/ squeeze-proposed-updates/main amd64 
Packages
 *** 2.6.32-31 0
        900 http://127.0.0.1/debian/ squeeze/main amd64 Packages
        100 /var/lib/dpkg/status

The package name is "linux-image-2.6.32-5-amd64"; the package version is 
"2.6.32-31"; the .deb file would be named "linux-image-2.6.32-5-
amd64_2.6.32-31.deb".

For normal (i.e. non-meta-) packages:  The package name is (currently) of the 
form "linux-image-$upstream_version-$ABI_version-$arch"; the package version 
is "$upstream_version-$debian_version" -- like most other packages.

Part of the version is in the package name to allow for co-installation.  A 
similar naming is used for shared libraries for the same purpose.  Depending 
on upstream support (and maintainer support) for co-installation, all or part 
of the version string may be included in package, directory, and file names.
-- 
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

["signature.asc" (application/pgp-signature)]
-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/201105090106.32559.bss@iguanasuicide.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic