
Linux security flaw lets hackers inject malware into downloads, disrupt Tor, etc. - dewiz
http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/
======
gtirloni
Part of the reason I stopped reading Slashdot was the daily The Register
article on the front page. We have got 2 of these on HN front-page today.

I wish people would stop relying on tabloids like that, specially here.

------
smartbit
> For encrypted HTTPS or SSH transmissions the worst that can be done is to
> break the connection

Another reason to only use encrypted connections.

------
rawfan
So is this patched in popular distributions or is everyone vulnerable right
now?

~~~
msimpson
RedHat and Fedora:
[https://access.redhat.com/security/cve/cve-2016-5696](https://access.redhat.com/security/cve/cve-2016-5696)
[https://bugzilla.redhat.com/show_bug.cgi?id=1354708](https://bugzilla.redhat.com/show_bug.cgi?id=1354708)

"This issue does not affect the Linux kernels as shipped with Red Hat
Enterprise Linux 4 and 5.

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux
6, 7 and Red Hat Enterprise MRG 2 and will be addressed in a future update."

Ubuntu: [https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2...](https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-5696.html)

Debian: [https://security-
tracker.debian.org/tracker/CVE-2016-5696](https://security-
tracker.debian.org/tracker/CVE-2016-5696)

Linux Kernel (4.7 carries the fix):
[https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455...](https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758)

Arch Linux will shortly release 4.7, which is how I see them fixing this issue
instead of patching.

