|
| PORTAIL | ANNUAIRE | ARTICLES | COMPARATEUR HÉBERGEURS | DEVIS | FORUMS | RÉDUCTEUR D'URL |
|
|
|
|
||||||
| linux.debian.user debian-user@lists.debian.org. |
 |
|
|
LinkBack | Outils de la discussion |
17/08/2007, 06h20
|
#1 |
Messages: n/a
Hébergeur: |
All linux-image-2.6-* packages in Etch/4.0 vulnurable?
-- Please CC me, when replying, since I'm not subscribed to the list.
Hello, According to DSA-1356-1 [1] there are security updates available for all linux-image-2.6.18* packages in Etch. One needs to upgrade to versions named linux-image-2.6.18-5* to benefit from the update. Now I noticed that on my box the actual update was not installed automatically by 'aptitude dist-upgrade' and I am still running linux-image-2.6.18-4-k7. That package was installed automatically because I installed linux-image-k7 which depends on linux-image-2.6-k7 which then depends on the actual linux-image-2.6.18-4-k7 package. According to the descriptions of linux-image-* and linux-image-2.6-*, these depend on the _latest_ "binary image for Linux kernel". But linux-image-2.6-* still depends on linux-image-2.6.18-4-*. IMHO something is really wrong with that. Obviously it is related to the jump from linux-image-2.6.18-4* to linux-image-2.6.18-5*. I am not really familiar with the Debian versioning system, but up until the update before DSA-1356-1, the only thing that changed due to a security update to the kernel package was the version number but not the package name. Packages I found depending on the wrong kernel version: linux-image-2.6-xen-686, linux-image-2.6-xen-vserver-686, linux-image-2.6-486, linux-image-2.6-686, linux-image-2.6-686-bigmem, linux-image-2.6-amd64, linux-image-2.6-k7, linux-image-2.6-vserver-686, linux-image-2.6-vserver-k7 according apt-cache on my machine. Looking a bit closer I can see no way how I or any other Debian user could get the update automatically, since no package that could have been installed before DSA-1356-1 depends on those new ones. So anybody not regularly checking the security site or not subscribed to the security-announce list will miss those security fixes. Any comments and clarifications will be much appreciated. [1] http://www.debian.org/security/2007/dsa-1356 Regards -- Marcus Blumhagen "Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGxS7e1MkssNtIhgsRAuIsAJ4sSRrWzKr8Gb422IsOwa c+VfAYaQCeMKNr 2EPW2qKSNiBCH6CutAyIfZ0= =dXty -----END PGP SIGNATURE----- |
|
|
17/08/2007, 08h20
|
#2 |
|
Messages: n/a
Hébergeur: |
Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
Marcus Blumhagen:
> > Packages I found depending on the wrong kernel version: > > linux-image-2.6-xen-686, linux-image-2.6-xen-vserver-686, > linux-image-2.6-486, linux-image-2.6-686, > linux-image-2.6-686-bigmem, linux-image-2.6-amd64, > linux-image-2.6-k7, linux-image-2.6-vserver-686, > linux-image-2.6-vserver-k7 I cannot confirm this with up-to-date package descriptions from ftp2.de.debian.org. I didn't check all of the packages, but at least linux-image-2.6-k7 (what you are using) and linux-image-2.6-686 (what I am using) actually do depend on their related linux-image-2.6.18-5-* package. J. -- Whenever I hear the word 'art' I reach for my visa card. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGxUvy+AfZydWK2zkRAvD8AJ9oZJr/V5FiHfNvhq3nQKh/VdXvOgCbBjp1 jGzpd1jhgN4P0p6C8jM2gOM= =WNWu -----END PGP SIGNATURE----- |
|
|
|
17/08/2007, 11h50
|
#3 |
|
Messages: n/a
Hébergeur: |
Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
-- Please CC me, when replying, since I'm not subscribed to the list.
On Fri, Aug 17, 2007 at 09:19:14AM +0200, Jochen Schulz wrote: > I cannot confirm this with up-to-date package descriptions from > ftp2.de.debian.org. I didn't check all of the packages, but at least > linux-image-2.6-k7 (what you are using) and linux-image-2.6-686 (what I > am using) actually do depend on their related linux-image-2.6.18-5-* > package. Ahh, OK, now i get it. Actually I only had security.debian.org in my sources.list besides the DVD set. I thought that would suffice to keep up-to-date regarding automatic security updates, but in this case it didn't. Looking at the changelog of linux-image-2.6-k7 [1], I read: linux-latest-2.6 (6etch1) stable; urgency=high * Update to 2.6.18-5. -- dann frazier <dannf@debian.org> Thu, 24 May 2007 17:05:09 -0600 Uh, back in May already. But it also reads "stable; urgency=high" wheras the package it depends on now must read "stable-security; urgency=high". Actually there is no changelog available for the latest linux-image-2.6.18-5-k7 (2.6.18.dfsg.1-13etch1) yet. At the time of writing the latest changelog entry is for 2.6.18.dfsg.1-13 from Mon, 21 May 2007 14:45:13 -0600. This leads me to one question. Shouldn't linux-image-2.6-* be distributed via security.debian.org too? Or in other words, shouldn't they just be assigned to stable-security instead of just stable? They only exist to depend on the real kernel package and therefor provide them as well. Maybe it could be done by just releasing an otherwise identical version but an adjusted verion number in stable-security. That way one, who has only security.debian.org in his sources.list and no other online repositories, would still be able to get the update automatically. OK, I see that my case described in the OP might be a little bit special, but I also think releasing an otherwise unchanged package apart from the version number and the assignment to stable-security instead of stable, is not that big an effort for a gain in consistency. I am not familiar with maintaining packages, so if I am underestimating I stand corrected. Thanks for your time and effort! [1] http://packages.debian.org/changelog...tch1/changelog Kind regards -- Marcus Blumhagen "Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGxX0v1MkssNtIhgsRAveqAJ4uX909FGYpxgcicQpx9O 1/BExaUQCgyWVF bzMs+X8j6868n6Ir0aoHKIo= =Wj8C -----END PGP SIGNATURE----- |
|
|
|
17/08/2007, 11h50
|
#4 |
|
Messages: n/a
Hébergeur: |
Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
-- Please CC me, when replying, since I'm not subscribed to the list.
On Fri, Aug 17, 2007 at 09:19:14AM +0200, Jochen Schulz wrote: > I cannot confirm this with up-to-date package descriptions from > ftp2.de.debian.org. I didn't check all of the packages, but at least > linux-image-2.6-k7 (what you are using) and linux-image-2.6-686 (what I > am using) actually do depend on their related linux-image-2.6.18-5-* > package. Ahh, OK, now i get it. Actually I only had security.debian.org in my sources.list besides the DVD set. I thought that would suffice to keep up-to-date regarding automatic security updates, but in this case it didn't. Looking at the changelog of linux-image-2.6-k7 [1], I read: linux-latest-2.6 (6etch1) stable; urgency=high * Update to 2.6.18-5. -- dann frazier <dannf@debian.org> Thu, 24 May 2007 17:05:09 -0600 Uh, back in May already. But it also reads "stable; urgency=high" wheras the package it depends on now must read "stable-security; urgency=high". Actually there is no changelog available for the latest linux-image-2.6.18-5-k7 (2.6.18.dfsg.1-13etch1) yet. At the time of writing the latest changelog entry is for 2.6.18.dfsg.1-13 from Mon, 21 May 2007 14:45:13 -0600. This leads me to one question. Shouldn't linux-image-2.6-* be distributed via security.debian.org too? Or in other words, shouldn't they just be assigned to stable-security instead of just stable? They only exist to depend on the real kernel package and therefor provide them as well. Maybe it could be done by just releasing an otherwise identical version but an adjusted verion number in stable-security. That way one, who has only security.debian.org in his sources.list and no other online repositories, would still be able to get the update automatically. OK, I see that my case described in the OP might be a little bit special, but I also think releasing an otherwise unchanged package apart from the version number and the assignment to stable-security instead of stable, is not that big an effort for a gain in consistency. I am not familiar with maintaining packages, so if I am underestimating I stand corrected. Thanks for your time and effort! [1] http://packages.debian.org/changelog...tch1/changelog Kind regards -- Marcus Blumhagen "Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGxX0v1MkssNtIhgsRAveqAJ4uX909FGYpxgcicQpx9O 1/BExaUQCgyWVF bzMs+X8j6868n6Ir0aoHKIo= =Wj8C -----END PGP SIGNATURE----- |
|
|
|
| Outils de la discussion | |
|
|
