Vulnerabilities in udev

Bruce Dubbs bruce.dubbs at gmail.com
Mon Apr 27 12:52:19 PDT 2009


Mike McCarty wrote:

> Well, you see there are two exposures involved, the obvious one
> 
> 	possible exploit of known vulnerability
> 
> and the less obvious one
> 
> 	replacing working code with with defective code
> 
> The first exposure is relatively easy to evaluate; the latter is less
> so, but exists nonetheless. I like to hear that a given patch or other
> fix has "burnt in" for a while, especially where exposure due to
> the know vulnerability has low or even nonexistent possibility of
> exploit.
> 
> I was hoping to get more information about how to evaluate my exposure.

Look at the source of the patch.  The header says that the changes are from 
upstream.  They will be in future versions of the code.  To evaluate the 
vulnerability, the header says it fixes CVE-2009-1185 and CVE-2009-1186.  Google 
that and you can read all about it.

   -- Bruce



More information about the lfs-support mailing list