Advertisement
Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.
Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Debian GNU/Linux 4.0 updatedDebian GNU/Linux 4.0 updatedPosted Feb 18, 2008 20:26 UTC (Mon) by aba (subscriber, #24118)In reply to: Debian GNU/Linux 4.0 updated by ris Parent article: Debian GNU/Linux 4.0 updated
aba@ries:~$ dak ls linux-2.6 -s stable linux-2.6 | 2.6.18.dfsg.1-18etch1 | stable | source That sounds to me as if the version 2.6.18.dfsg.1-18etch1 of linux-2.6 is in etch, and I pasted the most recent line of the changelog of that version. (Actually, I extracted the changelog by vi pool/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-18etch1.diff.gz with taking the version number from dak ls). I currently cannot see why the fixed version of linux-2.6 shouldn't be in Etch r3 - unless an accident happend while creating the Packages-files. By looking at e.g. zcat dists/etch/main/binary-i386/Packages.gz | grep-dctrl -P ^linux-image-2.6.18-6-686$ -r -s Version Version: 2.6.18.dfsg.1-18etch1 it seems to me version numbers in the database and the Packages-file match (which they always should of course). So, can you please tell me where I'm wrong? Andi
(Log in to post comments)
Debian GNU/Linux 4.0 updated Posted Feb 18, 2008 23:06 UTC (Mon) by jake (editor, #205) [Link] > So, can you please tell me where I'm wrong? You may be right, I am not sure. I put that comment in after looking over the list of DSAs (Debian Security Announcements) that were fixed in this release. DSA-1494 is the one that fixes the bug in question and is not listed. I, perhaps wrongly, believed that if a DSA was addressed, it would be listed. jake
Debian GNU/Linux 4.0 updated Posted Feb 19, 2008 7:25 UTC (Tue) by aba (subscriber, #24118) [Link] I agree, it should be listed in the list of DSAs. I'll check why the DSA is not in the list of DSAs, but the fixed kernel is there definitly.
Debian GNU/Linux 4.0 updated Posted Feb 19, 2008 18:36 UTC (Tue) by jake (editor, #205) [Link] > but the fixed kernel is there definitly. I am afraid it is not. I installed 4.0r3 and built the exploit and it worked fine. uname tells me the following: Linux debian 2.6.18-6-686 The new kernel is _available_ of course, but not distributed as part of 4.0r3. jake
Debian GNU/Linux 4.0 updated Posted Feb 21, 2008 12:54 UTC (Thu) by mbanck (subscriber, #9035) [Link] > The new kernel is _available_ of course, but not distributed as part of 4.0r3. According to the person who mastered the CDs, the new kernel package should be on the CDs. When/how did you install 4.0r3? Which CD version (businesscard,netinst,full,dvd)? What does "dpkg -l linux-image-2.6.18-6-686 | tail -1" return as version, in case you still have that installation available. Somebody should check the security advisory as well I guess. Thanks, Michael
Debian GNU/Linux 4.0 updated Posted Feb 21, 2008 14:28 UTC (Thu) by jake (editor, #205) [Link] > According to the person who mastered the CDs, the new kernel package should be on the CDs. And it appears that it is. I re-ran my tests (with much less cockpit error) and the exploit does not work. So, all that remains is why the DSA didn't get listed ... jake
|
|||||||||||