Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
* Stephen Gran schrieb: > I also do some rummaging around to figure out what the meta package is > currently depending on, so that I know what vesion Debian currently > considers newest, then compare that to /proc/version. That only works > for etch and newer kernel images, though, so I think I'll fall back to > Noah's method for older machines. I use a small script for Nagios checks that I give the supposed-to-be booted kernel (e.g. 2.6.18-6-686). I'll change that to have the option to check /proc/version instead of uname -r. I'm more comfortable with changing the Nagios configuration for each kernel update than by relying on some up-to-date APT cache to determine the current kernel. But I guess that's a matter of taste. Cheers, Mike signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Mon, 05 May 2008, Peter Palfrader wrote: > On Mon, 05 May 2008, Bernd Eckenfels wrote: > > > In article <[EMAIL PROTECTED]> you wrote: > > > Apropos. Is there a way to get that information from a vmlinuz file on > > > disk? Without booting it, that is. > > > > Interesting enough my (somewhat older) file command does only print "x86 > > boot sector", but I think some magic files supported it. Otherwise you can > > use "strings vmlinux | fgrep 2." > > This does not appear to work well on at least armel. Or, more generally, when the kernel is compressed. http://svn.noreply.org/svn/weaselutils/trunk/nagios-check-running-kernel is what I delopyed on .debian.org so far. Cheers, and thanks, weasel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Mon, 05 May 2008, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > Apropos. Is there a way to get that information from a vmlinuz file on > > disk? Without booting it, that is. > > Interesting enough my (somewhat older) file command does only print "x86 > boot sector", but I think some magic files supported it. Otherwise you can > use "strings vmlinux | fgrep 2." This does not appear to work well on at least armel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
This one time, at band camp, Peter Palfrader said: > debian.org kernel packages don't however. Which makes it not exactly > suiteable for a nagios check for "is the running kernel the one on the > fileystem". This one time, at band camp, Noah Meyerhans said: > I compare the ctime of the kernel image on the system with the machine's > uptime. It's the machine's been rebooted since the kernel image > changed, we're up to date, otherwise we're still running an older > kernel. The attached shell script shows how. You should be able to do > this with a nagios check... I also do some rummaging around to figure out what the meta package is currently depending on, so that I know what vesion Debian currently considers newest, then compare that to /proc/version. That only works for etch and newer kernel images, though, so I think I'll fall back to Noah's method for older machines. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Mon, May 05, 2008 at 02:57:34AM +0200, Peter Palfrader wrote: > On Mon, 05 May 2008, Bernd Eckenfels wrote: > > > In article <[EMAIL PROTECTED]> you wrote: > > > Apropos. Is there a way to get that information from a vmlinuz file on > > > disk? Without booting it, that is. > > > > Interesting enough my (somewhat older) file command does only print "x86 > > boot sector", but I think some magic files supported it. Otherwise you can > > use "strings vmlinux | fgrep 2." > > > > I usually use the file name to describe it. > > debian.org kernel packages don't however. Which makes it not exactly > suiteable for a nagios check for "is the running kernel the one on the > fileystem". I compare the ctime of the kernel image on the system with the machine's uptime. It's the machine's been rebooted since the kernel image changed, we're up to date, otherwise we're still running an older kernel. The attached shell script shows how. You should be able to do this with a nagios check... noah stale-kernel.sh Description: Bourne shell script signature.asc Description: Digital signature
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Mon, 05 May 2008, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > Apropos. Is there a way to get that information from a vmlinuz file on > > disk? Without booting it, that is. > > Interesting enough my (somewhat older) file command does only print "x86 > boot sector", but I think some magic files supported it. Otherwise you can > use "strings vmlinux | fgrep 2." > > I usually use the file name to describe it. debian.org kernel packages don't however. Which makes it not exactly suiteable for a nagios check for "is the running kernel the one on the fileystem". Sure, strings | grep works, but that's quite .. ugly and at least gives the impression of being fragile. Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
In article <[EMAIL PROTECTED]> you wrote: > Apropos. Is there a way to get that information from a vmlinuz file on > disk? Without booting it, that is. Interesting enough my (somewhat older) file command does only print "x86 boot sector", but I think some magic files supported it. Otherwise you can use "strings vmlinux | fgrep 2." I usually use the file name to describe it. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Sat, 03 May 2008, Dominic Hargreaves wrote: > cat /proc/version > > will give you the full version of the booted kernel. Apropos. Is there a way to get that information from a vmlinuz file on disk? Without booting it, that is. Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
On Sat, May 03, 2008 at 10:57:38PM +0200, Mike Gerber wrote: > Given a system with the package "linux-image-2.6.18-6-686" installed, > version "2.6.18.dfsg.1-18etch3" and: > > # uname -r > 2.6.18-6-686 > > How do I decide that the fixed kernel is actually booted? Other than by > uptime? cat /proc/version will give you the full version of the booted kernel. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
Hi, > Package: linux-2.6 > Vulnerability : several vulnerabilities > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2007-6694 CVE-2008-0007 CVE-2008-1294 CVE-2008-1375 > [...] > For the stable distribution (etch), this problem has been fixed in version > 2.6.18.dfsg.1-18etch3. Given a system with the package "linux-image-2.6.18-6-686" installed, version "2.6.18.dfsg.1-18etch3" and: # uname -r 2.6.18-6-686 How do I decide that the fixed kernel is actually booted? Other than by uptime? Cheers, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]