[Secure-testing-commits] r10331 - data/CVE
jmm-guest at alioth.debian.org
jmm-guest at alioth.debian.org
Sat Nov 8 01:06:56 UTC 2008
Author: jmm-guest
Date: 2008-11-08 01:06:55 +0000 (Sat, 08 Nov 2008)
New Revision: 10331
Modified:
data/CVE/list
Log:
one kernel issue harmless
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-11-07 21:14:10 UTC (rev 10330)
+++ data/CVE/list 2008-11-08 01:06:55 UTC (rev 10331)
@@ -3480,11 +3480,22 @@
{DSA-1654-1}
- libxml2 2.6.32.dfsg-4 (bug #498768)
CVE-2008-3528 (The error-reporting functionality in (1) fs/ext2/dir.c, (2) ...)
- - linux-2.6 <unfixed>
- - linux-2.6.24 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ - linux-2.6.24 <unfixed> (unimportant)
NOTE: cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
NOTE: bd39597cbd42a784105a04010100e27267481c67 (ext2)
NOTE: 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
+ NOTE: Comment from tytso:
+ NOTE: Note: some people thinks this represents a security bug, since it
+ NOTE: might make the system go away while it is printing a large number of
+ NOTE: console messages, especially if a serial console is involved. Hence,
+ NOTE: it has been assigned CVE-2008-3528, but it requires that the attacker
+ NOTE: either has physical access to your machine to insert a USB disk with a
+ NOTE: corrupted filesystem image (at which point why not just hit the power
+ NOTE: button), or is otherwise able to convince the system administrator to
+ NOTE: mount an arbitrary filesystem image (at which point why not just
+ NOTE: include a setuid shell or world-writable hard disk device file or some
+ NOTE: such). Me, I think they're just being silly.
CVE-2008-3527 (arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects ...)
TODO: check
CVE-2008-3526 (Integer overflow in the sctp_setsockopt_auth_key function in ...)
More information about the Secure-testing-commits
mailing list