Bug#754294: Debian kernel fix for routing regression in 3.2.60

2014-07-16 Thread Teodor Milkov 

On 13/07/14 19:55, Ben Hutchings wrote:

Sorry about the regression in the latest security update.  This is
apparently the result of an incomplete fix for a longstanding bug in
routing between interfaces with differing MTU.  The first part of the
fix went into 3.2.57, and the second part in 3.2.60.  It appears that
several more changes would need to be applied to complete the fix and
avoid this regression.

So, what I'm intending to do is to revert both those changes.  That will
leave the original bug present, but this will not be a regression from
the earlier Debian 7 'wheezy' kernel versions.

I have rebuilt the kernel for amd64 with these changes and uploaded to
http://people.debian.org/~benh/packages/wheezy-security/.  The changes
file is signed with my GPG key and there are also detached GPG
signatures for the linux-image binary packages.  You can verify these
using:

 gpg --keyring /usr/share/keyrings/debian-keyring.gpg --verify sig-file

If you need packages for another architecture or you're not sure about
the signature checking, you can build packages using the instructions at
http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official
 and the attached patches (revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch 
followed by
revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch).

After applying the above two patches all is good. Here's how I tested:

apt-get update
apt-get build-dep linux

mkdir linux-deb
cd linux-deb
apt-get source linux=3.2.60-1+deb7u1
wget --no-check-certificate 
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch;att=1;bug=754294; 
-O revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch
wget --no-check-certificate 
https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=50;filename=revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch;att=2;bug=754294; 
-O revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch


cd linux-3.2.60

bash debian/bin/test-patches -f amd64 -j 8 
../revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch 
../revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch


dpkg -i linux-image-3.2.0-4-amd64_3.2.60-1+deb7u1a~test_i386.deb

And then tried my usual download-from-windows-host test, which worked fine.


Best regards,
Teodor Milkov


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#556942: CVE-2009-3555: SSL/TLS renegotiation vulnerability

2009-11-18 Thread Teodor Milkov 
Package: libapache-mod-ssl
Severity: grave
Tags: security
Justification: user security hole


This is CVE-2009-3555 and is related to 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555829

I think there's no upstream fix for modssl atm, nevertheless this should
be tracked somewhere. Perhaps libapache-mod-ssl should be listed at
http://security-tracker.debian.org/tracker/CVE-2009-3555 as well.

-- System Information:
Debian Release: 4.0
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.30.5-grsec
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org