Bug#905966: linux-image-4.9.0-0.bpo.7-amd64: CVE-2018-5390 not fixed?

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#905966: linux-image-4.9.0-0.bpo.7-amd64: CVE-2018-5390 not fixed?
From: Gerlof Fokkema <gerlof+debian@gntel.nl>
Date: Sun, 12 Aug 2018 15:31:18 +0200
Message-id: <[🔎] 20180812133118.19692.82093.reportbug@pi04.gntel.nl>
Reply-to: Gerlof Fokkema <gerlof+debian@gntel.nl>, 905966@bugs.debian.org

Package: src:linux
Version: 4.9.110-1~deb8u1
Severity: grave
Tags: newcomer

Dear Maintainer,

On august 6th DSA-4266-1 linux was announced
(https://www.debian.org/security/2018/dsa-4266.en.html).
However, source package linux-4.9 (debian oldstable, jessie) is not included in
the overview for CVE-2018-5390
(https://security-tracker.debian.org/tracker/CVE-2018-5390).

On august 8th an updated kernel package was published for affected
distributions with linux kernel 4.9+ (debian stable, stretch).

On debian jessie I can only install up to 4.9.0-0.bpo.7-amd64
(4.9.110-1~deb8u1), which, as far as I can tell, should be affected by
CVE-2018-5390 as well. As of today there does not seem to be any update
regarding this CVE with respect to linux-4.9 on debian oldstable (jessie).

Can I conclude linux-4.9 on debian oldstable is not affected, or will there be
an update for this package as well?

Thanks in advance,
Gerlof Fokkema


-- Package-specific info:
** Kernel log: boot messages should be attached

** Model information
sys_vendor: Supermicro
product_name: X8DTU
product_version: 1234567890
chassis_vendor: Supermicro
chassis_version: 1234567890
bios_vendor: American Megatrends Inc.
bios_version: 2.1c      
board_vendor: Supermicro
board_name: X8DTU
board_version: 1234567890

-- System Information:
Debian Release: 8.10
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-0.bpo.7-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-4.9.0-0.bpo.7-amd64 depends on:
ii  initramfs-tools [linux-initramfs-tool]  0.120+deb8u3
ii  kmod                                    18-3
ii  linux-base                              4.3~bpo8+1

Versions of packages linux-image-4.9.0-0.bpo.7-amd64 recommends:
ii  firmware-linux-free  3.3
ii  irqbalance           1.1.0-2~bpo8+1

Versions of packages linux-image-4.9.0-0.bpo.7-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  grub-pc                 2.02~beta2-22+deb8u1
pn  linux-doc-4.9           <none>

Versions of packages linux-image-4.9.0-0.bpo.7-amd64 is related to:
pn  firmware-amd-graphics     <none>
pn  firmware-atheros          <none>
pn  firmware-bnx2             <none>
pn  firmware-bnx2x            <none>
pn  firmware-brcm80211        <none>
pn  firmware-cavium           <none>
pn  firmware-intel-sound      <none>
pn  firmware-intelwimax       <none>
pn  firmware-ipw2x00          <none>
pn  firmware-ivtv             <none>
pn  firmware-iwlwifi          <none>
pn  firmware-libertas         <none>
pn  firmware-linux-nonfree    <none>
pn  firmware-misc-nonfree     <none>
pn  firmware-myricom          <none>
pn  firmware-netxen           <none>
pn  firmware-qlogic           <none>
pn  firmware-realtek          <none>
pn  firmware-samsung          <none>
pn  firmware-siano            <none>
pn  firmware-ti-connectivity  <none>
pn  xen-hypervisor            <none>

-- no debconf information

Reply to:

Prev by Date: firmware-nonfree_20180518-1~bpo9+1_multi.changes ACCEPTED into stretch-backports, stretch-backports
Next by Date: Bug#905969: amdgpu: only one audio port shows up in pulseaudio
Previous by thread: firmware-nonfree_20180518-1~bpo9+1_multi.changes ACCEPTED into stretch-backports, stretch-backports
Next by thread: Bug#905969: amdgpu: only one audio port shows up in pulseaudio
Index(es):
- Date
- Thread