Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Am Dienstag, 27. Juni 2006 07:00 schrieb Moritz Muehlenhoff: [...] http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/ kernel-image-2.6.8-2-386_2.6.8-16sarge1_i386.deb Size/MD5 checksum: 14058198 fd607b13caf99093ef31071ff7395d6d This package is actually not new. I installed it already on 2005-11-22. There is no security update for kernel-image-2.6.8-2-386 available according to aptitude! [...] Best wishes, Wolfgang [Please send responses to this e-mail also to my personal address since I'm not subscribed to debian-security.] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
On Wednesday 28 June 2006 22:24, Wolfgang Jeltsch wrote: http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i38 6/ kernel-image-2.6.8-2-386_2.6.8-16sarge1_i386.deb Size/MD5 checksum: 14058198 fd607b13caf99093ef31071ff7395d6d This package is actually not new. I installed it already on 2005-11-22. There is no security update for kernel-image-2.6.8-2-386 available according to aptitude! That has been noted and corrected on this list already. A new formal notice will be sent out when new packages are also available for AMD64. The new packages are kernel-image-2.6.8-_3_-386. If you have one of the meta packages (like kernel-image-2.6-386) installed, the new package will be pulled in automatically. Cheers, FJP pgpPvxiz6Db9Z.pgp Description: PGP signature
Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
On Tue, Jun 27, 2006 at 07:00:01AM +0200, Moritz Muehlenhoff wrote: Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. How about saying also: Installing, upgrading and dist-upgrading the kernel-image-2.6-[arch] metapackage will keep the installed Debian kernels updated also when kernel package names change due to ABI changes. http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha /kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb ^ ^^ 2.6.8-2 and sarge1? This and older kernel advisories contain URL's and md5sums for kernel binary packages which don't fix the mentioned vulnerabilities[1]. Is this a bug or am I missing something? -Mikko [1] $ grep sarge1 dsa-1103-1.txt http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-headers-2.6.8-2-generic_2.6.8-16sarge1_alpha.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-headers-2.6.8-2-smp_2.6.8-16sarge1_alpha.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-2-generic_2.6.8-16sarge1_alpha.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/kernel-image-2.6.8-2-smp_2.6.8-16sarge1_alpha.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-headers-2.6.8-2_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-headers-2.6.8-2-32_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-headers-2.6.8-2-32-smp_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-headers-2.6.8-2-64_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-headers-2.6.8-2-64-smp_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-image-2.6.8-2-32_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-image-2.6.8-2-32-smp_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-image-2.6.8-2-64_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-hppa/kernel-image-2.6.8-2-64-smp_2.6.8-6sarge1_hppa.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-2_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-2-386_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-2-686_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-2-686-smp_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-2-k7_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-headers-2.6.8-2-k7-smp_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-2-386_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-2-686_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-2-686-smp_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-2-k7_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/kernel-image-2.6.8-2-k7-smp_2.6.8-16sarge1_i386.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-2_2.6.8-14sarge1_ia64.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-2-itanium_2.6.8-14sarge1_ia64.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-2-itanium-smp_2.6.8-14sarge1_ia64.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-2-mckinley_2.6.8-14sarge1_ia64.deb http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-ia64/kernel-headers-2.6.8-2-mckinley-smp_2.6.8-14sarge1_ia64.deb
Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
On Tue, Jun 27, 2006 at 06:16:43PM +0200, Moritz Muehlenhoff wrote: Mikko Rapeli wrote: http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha /kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb ^ ^^ 2.6.8-2 and sarge1? This and older kernel advisories contain URL's and md5sums for kernel binary packages which don't fix the mentioned vulnerabilities[1]. Is this a bug or am I missing something? The Debian security host has been moved to a new machine and as the aftermath the md5sum template isn't sent out any more. So I had to fiddle this together manually and accidentally copied over the wrong file. To err is human :) I'm including the correct ones for reference below, they'll be sent out officially signed once the amd64 build is processed. Good. Source and arch indep packages are fine but arch binary lists stil have sarge1 entries dating back to Nov 2005 without fixes from DSA 1103-1. The released fixes seem to add 'sarge[n+1]' version to updated source packages which should propably be in the binary packages version part too. Packages without the new version tag or an old 'sarge[n]' should not be in a kernel DSA, I presume. Or you just copied the wrong list again: snip http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/ kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb ^ ^^ Size/MD5 checksum: 2757876 e94cdb8d12552d293018c7ca24199f47 http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/ kernel-headers-2.6.8-2-generic_2.6.8-16sarge1_alpha.deb ^ ^^ snip http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/ kernel-headers-2.6.8-2_2.6.8-16sarge1_i386.deb ^ ^^ ... -Mikko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]