On Thu, Feb 18, 2010 at 09:50:43PM -0500, Michael Gilbert wrote: > On Thu, 18 Feb 2010 14:53:14 +0200 Peter Pentchev wrote: > > > Hi, > > > > First of all, apologies if this is sent to the wrong list, or if this > > information is already available somewhere; also, I'm aware that > > security support for Debian Etch ended a couple of days ago. > > > > In the recent DSA-1996-1 for the linux-2.6 package vulnerabilities, > > there was the following sentence: > > > > For the oldstable distribution (etch), these problems, where > > applicable, will be fixed in updates to linux-2.6 and linux-2.6.24. > > > > Now, since we several servers that we are currently in the process of > > migrating to Lenny, but the migration will not be complete for at > > least several more weeks (and yes, I know this is our own fault :), > > I'd just like to ask if there's any timeframe on when the Etch > > updates for the linux-2.6 package shall be released - without meaning > > to hurry anybody or to be pushy or something; I'm quite aware of > > all the work that goes into maintaining security updates across > > multiple versions of multiple packages on ooooold distributions, > > and the security team has my sincere thanks and condolences for all > > the work they have to do so we can sleep soundly :) > > > > Or maybe I'm missing something and the Etch update has already been > > released? But the only updated package I can see at > > http://security.debian.org/pool/updates/main/l/ is the "latest" one - > > linux-latest-2.6_6etch3; but from what I can see, it builds > > the linux-image-2.6-amd64_2.6.18+6etch3 package, which just depends on > > linux-image-2.6.18-6-amd64 (the actual kernel), and the actual kernel > > at http://security.debian.org/pool/updates/main/l/linux-2.6/ seems > > to still be at version 2.6.18.dfsg.1-26etch1 from November 5, 2009. > > > > Am I missing something, or is it just a question of manpower and time? > > If the latter, sorry if this mail comes through as pushy - it's really > > not meant to be! > > > > Again, thanks to the security team for all their hard work! > > Please CC me on replies, since I'm not subscribed to this list. > > you didn't miss anything. the update is in the works, and will be > released with the next etch point release (as seen in some other mailing > list; which one, i don't remember). the release team would be a better > place to ask about when that is going to happen, but if they haven't > announced anything publicly yet, then they probably have yet to set a > date.
The plan is to release both via the normal DSA process which will, as Mike mentioned, then become queued for the next point release. I'd suggest just watching for debian-security-announce for an update. If you want to see what will be fixed, I'd suggest taking a look at the current changelogs in svn: http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/changelog http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6.24/debian/changelog If you are interested in a specific CVE, you can look it up here: http://svn.debian.org/wsvn/kernel-sec -- dann frazier -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
