Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-05-08 Thread Boyd Stephen Smith Jr.
In <20110509043430.ga1...@cox.net>, Robert Holtzman wrote:
>On Sun, May 08, 2011 at 10:08:31PM +0200, Florian Weimer wrote:
>> * Kelly Dean:
>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
>> > published Sept 30, 2010, and says that Linux 2.6.32.5 is
>> > vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is
>> > Squeeze's kernel fixed, or does it have the vulnerability?
>> 
>> According to our records, this issue was addressed in version
>> 2.6.32-31 of the linux-2.6 package, which is also the version
>> currently in sqeeze.
>
>If so, why is my squeeze installation, fully updated, showing 2.6.32-5?

Because you don't understand Debian kernel packaging.

% apt-cache policy linux-image-2.6.32-5-amd64
linux-image-2.6.32-5-amd64:
  Installed: 2.6.32-31
  Candidate: 2.6.32-31
  Version table:
 2.6.32-34 0
850 http://127.0.0.1/debian/ squeeze-proposed-updates/main amd64 
Packages
 *** 2.6.32-31 0
900 http://127.0.0.1/debian/ squeeze/main amd64 Packages
100 /var/lib/dpkg/status

The package name is "linux-image-2.6.32-5-amd64"; the package version is 
"2.6.32-31"; the .deb file would be named "linux-image-2.6.32-5-
amd64_2.6.32-31.deb".

For normal (i.e. non-meta-) packages:  The package name is (currently) of the 
form "linux-image-$upstream_version-$ABI_version-$arch"; the package version 
is "$upstream_version-$debian_version" -- like most other packages.

Part of the version is in the package name to allow for co-installation.  A 
similar naming is used for shared libraries for the same purpose.  Depending 
on upstream support (and maintainer support) for co-installation, all or part 
of the version string may be included in package, directory, and file names.
-- 
Boyd Stephen Smith Jr.   ,= ,-_-. =.
b...@iguanasuicide.net   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/\_/


signature.asc
Description: This is a digitally signed message part.


Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-05-08 Thread Robert Holtzman
On Sun, May 08, 2011 at 10:08:31PM +0200, Florian Weimer wrote:
> * Kelly Dean:
> 
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> > published Sept 30, 2010, and says that Linux 2.6.32.5 is
> > vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is
> > Squeeze's kernel fixed, or does it have the vulnerability?
> 
> According to our records, this issue was addressed in version
> 2.6.32-31 of the linux-2.6 package, which is also the version
> currently in sqeeze.

If so, why is my squeeze installation, fully updated, showing 2.6.32-5?

-- 
Bob Holtzman
Key ID: 8D549279
"If you think you're getting free lunch,
 check the price of the beer"


signature.asc
Description: Digital signature


Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-05-08 Thread Florian Weimer
* Kelly Dean:

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> published Sept 30, 2010, and says that Linux 2.6.32.5 is
> vulnerable. Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is
> Squeeze's kernel fixed, or does it have the vulnerability?

According to our records, this issue was addressed in version
2.6.32-31 of the linux-2.6 package, which is also the version
currently in sqeeze.

> http://security-tracker.debian.org/tracker/status/release/stable
> currently says that "the stable" suite has the vulnerability, and
> Squeeze is currently the latest stable, but the page doesn't
> explicitly say that Squeeze is the latest stable and has the
> vulnerability, and there's no timestamp on the page. The
> last-modified header appears to have the common bug of reporting the
> server's current clock time rather than the page's last modified
> timestamp, so that's useless too.

The page is generated dynamically.  The release mapping is the current
one.  The first table, listing packages, also shows the current
versions of the package and whether they are vulnerable or not.
As far as I can tell, all the information you need is there.

> Did Squeeze really get released with a high-urgency remote kernel
> vulnerability which was published four months earlier?

Security bugs are not release blockers because we have process for
fixing them after the release.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/874o557y68@mid.deneb.enyo.de



Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-02-16 Thread Pascal Hambourg
Hello,

Johan Grönqvist a écrit :
> 2011-02-15 22:46, Kelly Dean skrev:
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
>> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
>> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
>> fixed, or does it have the vulnerability?
> 
> To begin with: I do not know if the kernel in squeeze is vulnerable.
[...]
> ,
>  
> where I just quote parts of two entries:
> 
> linux-2.6 (2.6.32-30) unstable; urgency=high
>[...]
>* Add stable 2.6.32.28:
>[...]
>   -- Ben Hutchings   Tue, 11 Jan 2011 05:42:11 +
[...]
> The updates to the 2.6.32 kernel thus seems to be incorporated into the 
> version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable, 
> but no higher versions of 2.6.32, and as 2.6.32.28 appears to be 
> incorporated in squeeze, it seems that squeeze might not be vulnerable.

I do not know if 2.6.32 was vulnerable either, but looking at upstream
kernel changelogs it seems that the fix was not backported to any
upstream -stable (now -longterm) release older than 2.6.35, including
2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4d5b98b0.7080...@plouf.fr.eu.org



Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-02-16 Thread Liam O'Toole
On 2011-02-15, Kelly Dean  wrote:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was published 
> Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. Squeeze uses 
> 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel fixed, or does it have 
> the vulnerability?

My interpretation of the overview provided by the NVD is that the
vulnerability applies only to XFS, and can only be exploited by
authenticated users. But I would be interested to hear the opinions of
more knowledgeable users.

>
> http://security-tracker.debian.org/tracker/status/release/stable currently 
> says that "the stable" suite has the vulnerability, and Squeeze is currently 
> the latest stable, but the page doesn't explicitly say that Squeeze is the 
> latest stable and has the vulnerability, and there's no timestamp on the 
> page. The last-modified header appears to have the common bug of reporting 
> the server's current clock time rather than the page's last modified 
> timestamp, so that's useless too.
>

I suspect that the page is dynamically generated, so the last-modified
header will always report the time at which the underlying database
query was executed.

> Did Squeeze really get released with a high-urgency remote kernel 
> vulnerability which was published four months earlier?
>
>
>   
>
>


-- 
Liam O'Toole
Cork, Ireland



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/slrniln44v.2hf.liam.p.otoole@dipsy.tubbynet



Re: How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-02-16 Thread Johan Grönqvist

2011-02-15 22:46, Kelly Dean skrev:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
fixed, or does it have the vulnerability?


To begin with: I do not know if the kernel in squeeze is vulnerable.


On , one 
can read that for the kernel in squeeze, the package _name_ contains 
linux-image-2.6.32-5, whereas the _version_ is 2.6.32-30. None of these 
appears to refer to the upstream version number 2.6.32.5, as can be seen 
from the changelog at 
, 
where I just quote parts of two entries:



linux-2.6 (2.6.32-30) unstable; urgency=high
  [...]
  * Add stable 2.6.32.28:
  [...]
 -- Ben Hutchings   Tue, 11 Jan 2011 05:42:11 +


linux-2.6 (2.6.32-29) unstable; urgency=high
[...]
   * Add stable 2.6.32.27:
[...]
 -- Ben Hutchings   Fri, 10 Dec 2010 05:45:11 +


The updates to the 2.6.32 kernel thus seems to be incorporated into the 
version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable, 
but no higher versions of 2.6.32, and as 2.6.32.28 appears to be 
incorporated in squeeze, it seems that squeeze might not be vulnerable.





http://security-tracker.debian.org/tracker/status/release/stable
currently says that[...]


I do not know how that page works, so I can not comment on it.


Did Squeeze really get released with a high-urgency remote kernel
vulnerability which was published four months earlier?


I do not know.

/ johan


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/ijg34a$u93$1...@dough.gmane.org



How up-to-date is Debian's stable release kept to fix published kernel security vulnerabilities?

2011-02-15 Thread Kelly Dean
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was published 
Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable. Squeeze uses 
2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel fixed, or does it have the 
vulnerability?

http://security-tracker.debian.org/tracker/status/release/stable currently says 
that "the stable" suite has the vulnerability, and Squeeze is currently the 
latest stable, but the page doesn't explicitly say that Squeeze is the latest 
stable and has the vulnerability, and there's no timestamp on the page. The 
last-modified header appears to have the common bug of reporting the server's 
current clock time rather than the page's last modified timestamp, so that's 
useless too.

Did Squeeze really get released with a high-urgency remote kernel vulnerability 
which was published four months earlier?


  


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/223175.89618...@web121518.mail.ne1.yahoo.com