Debian GNU/Linux 4.0 updated
| From: | Joey Schulze <joey-AT-infodrom.org> | |
| To: | Debian Announcements <debian-announce-AT-lists.debian.org> | |
| Subject: | Debian GNU/Linux 4.0 updated | |
| Date: | Sun, 17 Feb 2008 09:21:15 +0100 | |
| Message-ID: | <20080217082115.GM6746@finlandia.home.infodrom.org> |
------------------------------------------------------------------------ The Debian Project http://www.debian.org/ Debian GNU/Linux 4.0 updated press@debian.org February 17th, 2008 http://www.debian.org/News/2008/20080217 ------------------------------------------------------------------------ Debian GNU/Linux 4.0 updated The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0 (codename etch) Please note that this update does not constitute a new version of Debian GNU/Linux 4.0 but only updates some of the packages included. There is no need to throw away 4.0 CDs or DVDs but only to update against ftp.debian.org after an installation, in order to incorporate those late changes. Those who frequently install updates from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update. New CD and DVD images containing updated packages and the regular installation media accompanied with the package archive respectively will be available soon at the regular locations. Upgrading to this revision online is usually done by pointing the aptitude (or apt) package tool (see the sources.list(5) manual page) to one of Debian's many FTP or HTTP mirrors. A comprehensive list of mirrors is available at: <http://www.debian.org/distrib/ftplist> Debian-Installer Update ----------------------- The installer has been updated to use and support the updated kernels included in this release. This change causes old netboot and floppy images to stop working; updated versions are available from the regular locations. This update also includes stability improvements and added support for SGI O2 machines with 300MHz RM5200SC (Nevada) CPUs that were announced with the second update, but were not actually included. Important changes ----------------- Updated versions of the bcm43xx-fwcutter package will be distributed via volatile.debian.org. The package itself will be removed from etch with the next update. Flashplugin-nonfree has been removed (see below), as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org. Miscellaneous Bugfixes ---------------------- This stable update adds several binary updates for various architectures to packages whose version was not synchronised across all architectures. It also adds a few important corrections to the following packages: Package Reason apache Fix of several vulnerabilities apache2 Fix of several vulnerabilities apache2-mpm-itk Rebuild for apache2 rebuilds bos Remove non-free content clamav Remove non-free (and undistributable) unrar-code cpio Fix malformed creation of ustar archives denyhosts Fix improper parsing of ssh logfiles ircproxy Fix denial of service glibc Fix sunrpc memory leak gpsd Fix problem with leap years ipmitool Bring architectures back in sync kdebase Add support for latest flash plugin kdelibs Add support for latest flash plugin kdeutils Prevent unauthorised access when hibernated libchipcard2 Add missing dependency linux-2.6 Fix several bugs loop-aes Updated linux-2.6 kernel madwifi Fix possible denial of service net-snmp Fix broken snmpbulkwalk ngircd Fix possible denial of service sing Fix privilege escalation sun-java5 Fix remote program execution unrar-nonfree Fix arbitrary code execution viewcvs Fix cvs parsing xorg-server Fix inline assembler for processors without cpuid These packages are updated to support the newer kernels: linux-modules-contrib-2.6 linux-modules-extra-2.6 linux-modules-nonfree-2.6 nvidia-graphics-legacy-modules-amd64 nvidia-graphics-legacy-modules-i386 nvidia-graphics-modules-amd64 nvidia-graphics-modules-i386 Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates. Advisory ID Package(s) Correction(s) DSA 1405 zope-cmfplone Arbitrary code execution DSA 1437 cupsys Several vulnerabilities DSA 1438 tar Several vulnerabilities DSA 1439 typo3-src SQL injection. DSA 1440 inotify-tools Arbitrary code execution DSA 1441 peercast Arbitrary code execution DSA 1442 libsndfile Arbitrary code execution DSA 1443 tcpreen Denial of service DSA 1444 php5 Several vulnerabilities DSA 1445 maradns Denial of service DSA 1446 wireshark Denial of service DSA 1447 tomcat5.5 Several vulnerabilities DSA 1448 eggdrop Arbitrary code execution DSA 1449 loop-aes-utils Programming error DSA 1450 util-linux Programming error DSA 1451 mysql-dfsg-5.0 Several vulnerabilities DSA 1452 wzdftpd Denial of service DSA 1453 tomcat5 Several vulnerabilities DSA 1454 freetype Arbitrary code execution DSA 1455 libarchive Several problems DSA 1456 fail2ban Denial of service DSA 1457 dovecot Information disclosure DSA 1458 openafs Denial of service DSA 1459 gforge SQL injection DSA 1460 postgresql-8.1 Several vulnerabilities DSA 1461 libxml2 Denial of service DSA 1462 hplip Privilege escalation DSA 1463 postgresql-7.4 Several vulnerabilities DSA 1464 syslog-ng Denial of service DSA 1465 apt-listchanges Arbitrary code execution DSA 1466 xorg Several vulnerabilities DSA 1468 tomcat5.5 Several vulnerabilities DSA 1469 flac Arbitrary code execution DSA 1470 horde3 Denial of service DSA 1471 libvorbis Several vulnerabilities DSA 1472 xine-lib Arbitrary code execution DSA 1473 scponly Arbitrary code execution DSA 1474 exiv2 Arbitrary code execution DSA 1475 gforge Cross site scripting DSA 1476 pulseaudio Privilege escalation DSA 1477 yarssr Arbitrary shell command execution DSA 1478 mysql-dfsg-5.0 Several vulnerabilities DSA 1479 fai-kernels Several vulnerabilities DSA 1479 linux-2.6 Several vulnerabilities DSA 1483 net-snmp Denial of service DSA 1484 xulrunner Several vulnerabilities Removed Packages ---------------- These packages are removed from the distribution: Package Reason bandersnatch Too buggy flashplugin-nonfree Closed source and no security support flyspray Too buggy, no support from upstream ipxripd Incompatibility with the Etch kernel jags Too buggy unace-nonfree Broken on big-endian or 64bit-systems The complete list of all accepted and rejected packages together with rationale is on the preparation page for this revision: <http://release.debian.org/stable/4.0/4.0r3/> URLs ---- The complete lists of packages that have changed with this revision: <http://ftp.debian.org/debian/dists/etch/ChangeLog> The current stable distribution: <http://ftp.debian.org/debian/dists/stable> Proposed updates to the stable distribution: <http://ftp.debian.org/debian/dists/proposed-updates> Stable distribution information (release notes, errata etc.): <http://www.debian.org/releases/stable/> Security announcements and information: <http://www.debian.org/security/> About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating systems Debian GNU/Linux. Contact Information ------------------- For further information, please visit the Debian web pages at <http://www.debian.org/>, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>. -- To UNSUBSCRIBE, email to debian-announce-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Posted Feb 18, 2008 17:38 UTC (Mon)
by aba (guest, #24118)
[Link] (7 responses)
Posted Feb 18, 2008 17:49 UTC (Mon)
by ris (subscriber, #5)
[Link] (6 responses)
Posted Feb 18, 2008 20:26 UTC (Mon)
by aba (guest, #24118)
[Link] (5 responses)
Posted Feb 18, 2008 23:06 UTC (Mon)
by jake (editor, #205)
[Link] (4 responses)
Posted Feb 19, 2008 7:25 UTC (Tue)
by aba (guest, #24118)
[Link] (3 responses)
Posted Feb 19, 2008 18:36 UTC (Tue)
by jake (editor, #205)
[Link] (2 responses)
Posted Feb 21, 2008 12:54 UTC (Thu)
by mbanck (subscriber, #9035)
[Link] (1 responses)
Posted Feb 21, 2008 14:28 UTC (Thu)
by jake (editor, #205)
[Link]
Debian GNU/Linux 4.0 updated
The comment "Note that the update for the recent kernel local root privilege escalation
problem did not make into this release." doesn't seem correct to me. The changelog of
linux-2.6 reads:
linux-2.6 (2.6.18.dfsg.1-18etch1) stable-security; urgency=high
* bugfix/vmsplice-security.patch
[SECURITY] Fix missing access check in vmsplice.
See CVE-2008-0010, CVE-2008-0600
* bugfix/all/vserver/proc-link-security.patch
[SECURITY][vserver] Fix access checks for the links in /proc/$pid.
-- Bastian Blank <waldi@debian.org> Sun, 10 Feb 2008 18:37:05 +0100
Andi
Debian GNU/Linux 4.0 updated
The point is not that the kernel update doesn't exist, but that it is not included in the r3
release. If you install 4.0r3 you will have to grab that kernel update afterwards.
Debian GNU/Linux 4.0 updated
aba@ries:~$ dak ls linux-2.6 -s stable
linux-2.6 | 2.6.18.dfsg.1-18etch1 | stable | source
That sounds to me as if the version 2.6.18.dfsg.1-18etch1 of linux-2.6 is in etch, and I
pasted the most recent line of the changelog of that version. (Actually, I extracted the
changelog by vi pool/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-18etch1.diff.gz with taking the
version number from dak ls).
I currently cannot see why the fixed version of linux-2.6 shouldn't be in Etch r3 - unless an
accident happend while creating the Packages-files. By looking at e.g.
zcat dists/etch/main/binary-i386/Packages.gz | grep-dctrl -P ^linux-image-2.6.18-6-686$ -r -s
Version
Version: 2.6.18.dfsg.1-18etch1
it seems to me version numbers in the database and the Packages-file match (which they always
should of course).
So, can you please tell me where I'm wrong?
Andi
Debian GNU/Linux 4.0 updated
> So, can you please tell me where I'm wrong?
You may be right, I am not sure. I put that comment in after looking over the list of DSAs
(Debian Security Announcements) that were fixed in this release. DSA-1494 is the one that
fixes the bug in question and is not listed. I, perhaps wrongly, believed that if a DSA was
addressed, it would be listed.
jake
Debian GNU/Linux 4.0 updated
I agree, it should be listed in the list of DSAs. I'll check why the DSA is not in the list of
DSAs, but the fixed kernel is there definitly.
Debian GNU/Linux 4.0 updated
> but the fixed kernel is there definitly.
I am afraid it is not. I installed 4.0r3 and built the exploit and it worked fine. uname
tells me the following:
Linux debian 2.6.18-6-686
The new kernel is _available_ of course, but not distributed as part of 4.0r3.
jake
Debian GNU/Linux 4.0 updated
> The new kernel is _available_ of course, but not distributed as part of 4.0r3.
According to the person who mastered the CDs, the new kernel package should be on the CDs.
When/how did you install 4.0r3? Which CD version (businesscard,netinst,full,dvd)?
What does "dpkg -l linux-image-2.6.18-6-686 | tail -1" return as version, in case you still
have that installation available.
Somebody should check the security advisory as well I guess.
Thanks,
Michael
Debian GNU/Linux 4.0 updated
> According to the person who mastered the CDs, the new kernel package should be on the CDs.
And it appears that it is. I re-ran my tests (with much less cockpit error) and the exploit
does not work.
So, all that remains is why the DSA didn't get listed ...
jake