Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Thanks, --- David -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b9e5297.3070...@metheus.org
Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315165651.ga15...@lackof.org
Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
Hello, what about the drbd8-modules-2.6-amd64 package ? We were happy to switch from the drbd8-source/ module source building when we upgraded to Lenny... Thank you Le 15/03/2010 17:56, dann frazier a écrit : On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b9e6b1a.5070...@lma.cnrs-mrs.fr
Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On 2010-03-15, dann frazier da...@debian.org wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Why? That should be covered by the CVE ID for the original connector security bug. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnhpsss2.2br@inutil.org
Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 06:15:06PM +0100, Vincendon Bruno wrote: Hello, what about the drbd8-modules-2.6-amd64 package ? We were happy to switch from the drbd8-source/ module source building when we upgraded to Lenny... All the drbd8 packages will be updated at the same time. Ben. -- Ben Hutchings It is a miracle that curiosity survives formal education. - Albert Einstein -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315180648.gp2...@decadent.org.uk
Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote: On 2010-03-15, dann frazier da...@debian.org wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Why? That should be covered by the CVE ID for the original connector security bug. Just to make sure we're talking about the same thing... One reason for this upload is to deal with the ABI breakage from the kernel upload which fixed CVE-2009-3725. I agree that no additional CVE is warranted to deal with that. However, as part of fixing this, we discovered that drbd contains a security issue as well. This issue is in the same class as the issues covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list of 4 subsystems it covers, and drbd is not one of them. -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315181306.gc15...@lackof.org
Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 12:13:06PM -0600, dann frazier wrote: On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote: On 2010-03-15, dann frazier da...@debian.org wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Why? That should be covered by the CVE ID for the original connector security bug. Just to make sure we're talking about the same thing... One reason for this upload is to deal with the ABI breakage from the kernel upload which fixed CVE-2009-3725. I agree that no additional CVE is warranted to deal with that. However, as part of fixing this, we discovered that drbd contains a security issue as well. This issue is in the same class as the issues covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list of 4 subsystems it covers, and drbd is not one of them. Ack. But since the underlying issue is identical I don't think a separate CVE ID is warranted. The CVE description can still be updated later if needed. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315183958.ga4...@galadriel.inutil.org
Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 07:39:58PM +0100, Moritz Muehlenhoff wrote: On Mon, Mar 15, 2010 at 12:13:06PM -0600, dann frazier wrote: On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote: On 2010-03-15, dann frazier da...@debian.org wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Why? That should be covered by the CVE ID for the original connector security bug. Just to make sure we're talking about the same thing... One reason for this upload is to deal with the ABI breakage from the kernel upload which fixed CVE-2009-3725. I agree that no additional CVE is warranted to deal with that. However, as part of fixing this, we discovered that drbd contains a security issue as well. This issue is in the same class as the issues covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list of 4 subsystems it covers, and drbd is not one of them. Ack. But since the underlying issue is identical I don't think a separate CVE ID is warranted. The CVE description can still be updated later if needed. I would agree with the above if the same fix for issues 1-4 also fixed this issue - but in this case, it doesn't. All of these fixes required an underlying change in the connector subsystem (allowing the passing of creds into the callback). But, *using* that change requires a separate change in each subsystem. It is completely possible to fix one subsystem and leave the others unfixed. They will compile fine, though there would be a non-fatal compiler warning that could go unnoticed. I don't think it makes sense to go back and add drbd to the CVE after the fact, because it changes the semantics. It is quite possible that some other vendor is out there shipping drbd and has already fixed CVE-2009-3725. Doing an update instead of a new CVE may cause this additional issue to go unnoticed/unfixed. In other words I think that, once distros have fixed a CVE, it isn't ok to add more fixes to that CVE which contradict the distro's statement that the CVE is fixed. Particularly when a new CVE could be used instead. For some precedence, see the recent regression fixes in CVE-2009-453[6-8]. Those are fixes for regressions introduced by previous CVE fixes - but they chose to allocate new CVEs instead of updating the existing ones. I'm sure we could dig up precedence to the contrary - CVE-2010-0307 might be an example, if we consider 1dfc76ec to be a security fix vs. just a regression. That said, it really is MITRE's call - so we'll see how they respond to my request. If they prefer to update the existing CVE, that's fine by me. -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315193908.gd15...@lackof.org
Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 01:39:08PM -0600, dann frazier wrote: On Mon, Mar 15, 2010 at 07:39:58PM +0100, Moritz Muehlenhoff wrote: On Mon, Mar 15, 2010 at 12:13:06PM -0600, dann frazier wrote: On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote: On 2010-03-15, dann frazier da...@debian.org wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Why? That should be covered by the CVE ID for the original connector security bug. Just to make sure we're talking about the same thing... One reason for this upload is to deal with the ABI breakage from the kernel upload which fixed CVE-2009-3725. I agree that no additional CVE is warranted to deal with that. However, as part of fixing this, we discovered that drbd contains a security issue as well. This issue is in the same class as the issues covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list of 4 subsystems it covers, and drbd is not one of them. Ack. But since the underlying issue is identical I don't think a separate CVE ID is warranted. The CVE description can still be updated later if needed. I would agree with the above if the same fix for issues 1-4 also fixed this issue - but in this case, it doesn't. All of these fixes required an underlying change in the connector subsystem (allowing the passing of creds into the callback). But, *using* that change requires a separate change in each subsystem. It is completely possible to fix one subsystem and leave the others unfixed. They will compile fine, though there would be a non-fatal compiler warning that could go unnoticed. I don't think it makes sense to go back and add drbd to the CVE after the fact, because it changes the semantics. It is quite possible that some other vendor is out there shipping drbd and has already fixed CVE-2009-3725. Doing an update instead of a new CVE may cause this additional issue to go unnoticed/unfixed. In other words I think that, once distros have fixed a CVE, it isn't ok to add more fixes to that CVE which contradict the distro's statement that the CVE is fixed. Particularly when a new CVE could be used instead. For some precedence, see the recent regression fixes in CVE-2009-453[6-8]. Those are fixes for regressions introduced by previous CVE fixes - but they chose to allocate new CVEs instead of updating the existing ones. I'm sure we could dig up precedence to the contrary - CVE-2010-0307 might be an example, if we consider 1dfc76ec to be a security fix vs. just a regression. That said, it really is MITRE's call - so we'll see how they respond to my request. If they prefer to update the existing CVE, that's fine by me. Ok. But I recommend against holding back the update until a CVE is assigned. MITRE isn't working properly these days, we already needed to release several DSA w/o CVE IDs being assigned so far. Just write Not yet available as done for DSA 2013, DSA 2016 and DSA 2008. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315194546.ga2...@galadriel.inutil.org
Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 02:45:13PM -0400, David Miller wrote: dann frazier wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Am I doing something st00pid, as usual? No - turns out we had a typo that prevents apt from upgrading. A new version is currently being built and should be released later today. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315194220.ge15...@lackof.org
Re: Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Mon, Mar 15, 2010 at 08:45:46PM +0100, Moritz Muehlenhoff wrote: On Mon, Mar 15, 2010 at 01:39:08PM -0600, dann frazier wrote: On Mon, Mar 15, 2010 at 07:39:58PM +0100, Moritz Muehlenhoff wrote: On Mon, Mar 15, 2010 at 12:13:06PM -0600, dann frazier wrote: On Mon, Mar 15, 2010 at 06:50:58PM +0100, Moritz Muehlenhoff wrote: On 2010-03-15, dann frazier da...@debian.org wrote: On Mon, Mar 15, 2010 at 11:30:31AM -0400, David Miller wrote: I've also been bitten by this bug - noticed it last Friday and it doesn't seem to be fixed this morning. Is there an ETA on a fix with packages? Packages are now available in the security repo (an apt-get upgrade should suffice). I'm hoping to get a CVE ID before sending out a formal DSA. Why? That should be covered by the CVE ID for the original connector security bug. Just to make sure we're talking about the same thing... One reason for this upload is to deal with the ABI breakage from the kernel upload which fixed CVE-2009-3725. I agree that no additional CVE is warranted to deal with that. However, as part of fixing this, we discovered that drbd contains a security issue as well. This issue is in the same class as the issues covered by CVE-2009-3725. However, CVE-2009-3725 has an explicit list of 4 subsystems it covers, and drbd is not one of them. Ack. But since the underlying issue is identical I don't think a separate CVE ID is warranted. The CVE description can still be updated later if needed. I would agree with the above if the same fix for issues 1-4 also fixed this issue - but in this case, it doesn't. All of these fixes required an underlying change in the connector subsystem (allowing the passing of creds into the callback). But, *using* that change requires a separate change in each subsystem. It is completely possible to fix one subsystem and leave the others unfixed. They will compile fine, though there would be a non-fatal compiler warning that could go unnoticed. I don't think it makes sense to go back and add drbd to the CVE after the fact, because it changes the semantics. It is quite possible that some other vendor is out there shipping drbd and has already fixed CVE-2009-3725. Doing an update instead of a new CVE may cause this additional issue to go unnoticed/unfixed. In other words I think that, once distros have fixed a CVE, it isn't ok to add more fixes to that CVE which contradict the distro's statement that the CVE is fixed. Particularly when a new CVE could be used instead. For some precedence, see the recent regression fixes in CVE-2009-453[6-8]. Those are fixes for regressions introduced by previous CVE fixes - but they chose to allocate new CVEs instead of updating the existing ones. I'm sure we could dig up precedence to the contrary - CVE-2010-0307 might be an example, if we consider 1dfc76ec to be a security fix vs. just a regression. That said, it really is MITRE's call - so we'll see how they respond to my request. If they prefer to update the existing CVE, that's fine by me. Ok. But I recommend against holding back the update until a CVE is assigned. MITRE isn't working properly these days, we already needed to release several DSA w/o CVE IDs being assigned so far. Just write Not yet available as done for DSA 2013, DSA 2016 and DSA 2008. ok, I'll do that. fyi, it should go out in a couple hours (last build just completed). -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100315234127.gf15...@lackof.org
Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
On Fri, 2010-03-12 at 08:11 +0100, Dennis Hoppe wrote: Package: drbd8-modules-2.6.26-2-amd64 Version: 2.6.26+8.0.14-6+lenny1 Severity: important *** Please type your report below this line *** Hello, after installing the security update for linux-image-2.6.26-2-amd (2.6.26-21lenny4) my hole cluster was going down, because the drbd module could not be loaded. hot...@beta:~$ lsmod | grep drbd hot...@beta:~$ sudo modprobe drbd FATAL: Error inserting drbd (/lib/modules/2.6.26-2-xen-amd64/extra/drbd8/drbd/drbd.ko): Unknown symbol in module, or unknown parameter (see dmesg) hot...@beta:~$ sudo tail /var/log/syslog ... Mar 12 07:59:15 beta kernel: [ 148.854821] drbd: disagrees about version of symbol cn_add_callback Mar 12 07:59:15 beta kernel: [ 148.854824] drbd: Unknown symbol cn_add_callback I decided to purge drbd8-modules-2.6.26-2-amd64 and installed drbd8-source. After that i was able to load the drbd module. This is a known bug and will be fixed shortly by security updates to drbd8 and linux-modules-extra-2.6. Ben. -- Ben Hutchings If God had intended Man to program, we'd have been born with serial I/O ports. signature.asc Description: This is a digitally signed message part
Bug#573531: drbd8-modules-2.6.26-2-amd64: Can not load drbd module
Package: drbd8-modules-2.6.26-2-amd64 Version: 2.6.26+8.0.14-6+lenny1 Severity: important *** Please type your report below this line *** Hello, after installing the security update for linux-image-2.6.26-2-amd (2.6.26-21lenny4) my hole cluster was going down, because the drbd module could not be loaded. hot...@beta:~$ lsmod | grep drbd hot...@beta:~$ sudo modprobe drbd FATAL: Error inserting drbd (/lib/modules/2.6.26-2-xen-amd64/extra/drbd8/drbd/drbd.ko): Unknown symbol in module, or unknown parameter (see dmesg) hot...@beta:~$ sudo tail /var/log/syslog ... Mar 12 07:59:15 beta kernel: [ 148.854821] drbd: disagrees about version of symbol cn_add_callback Mar 12 07:59:15 beta kernel: [ 148.854824] drbd: Unknown symbol cn_add_callback I decided to purge drbd8-modules-2.6.26-2-amd64 and installed drbd8-source. After that i was able to load the drbd module. Regards, Dennis -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages drbd8-modules-2.6.26-2-amd64 depends on: ii linux-image-2.6.26-2-amd 2.6.26-21lenny4 Linux 2.6.26 image on AMD64 drbd8-modules-2.6.26-2-amd64 recommends no packages. drbd8-modules-2.6.26-2-amd64 suggests no packages. -- no debconf information signature.asc Description: OpenPGP digital signature