Re: Well - and kernel 2.4.18?

[Maurizio Lemmo - Tannoiser]

On domenica 03 aprile 2005, alle 20:03, Jan Lühr wrote:
> is there any progress in providing fixed kernels for stable?
> I was just wondering 'cause I expected 'em three months ago.

I think this mail from Martin Schulze, answer this question.

http://lists.debian.org/debian-devel-announce/2005/04/msg2.html

HTH.

-- 
Willow: "Giles!"
Xander: "Yo, G-Man! What's up?"
Giles: "Nice to see you, and don't ever call me that."
--Buffy the Vampire Slayer: When She Was Bad


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: My machine was hacked - possibly via sshd?

[Maurizio Lemmo - Tannoiser]

On martedì 29 marzo 2005, alle 00:34, Adam M. wrote:
> >But 2.4.18 is the Debian stable kernel, which gets security updates
> >and patches, no?
> 
> No, it doesn't. I really think that packages like this old kernel should
> be removed from the mirrors, or at least updated with big fat warning.

Sorry, but this isn't correct.
kernel 2.4.18-1 in woody is patched against known vulnerability.

You may take a look on the latest update of it:

http://www.debian.org/security/2004/dsa-479

Recent vulnerability involve code not present in this release of kernel.
This is one of the main reason because security team doesn't want a new
release of kernel in the stable distribution.

> Anyway, the kernel in woody are not up to date. You *have to* roll your
> own kernel. At this time you should use the latest 2.4.x kernel, or
> 2.6.x if you need to. If you don't roll your own kernels, at least for
> machines with remote access, then all local users can get root.

Of course, roll its own kernel, is a good practice, but only if the
admin know what to do. And of course a lot of other "practice" have to
be take.

Static kernel, prevent lkm. Grsecurity patch help a lot. ecc.

But pourpose of kernel in stable isn't to be "the best choice in any
case", just a reasonable default kernel.

Then, of course YMMV, and a good admin have daily work to do
("security-out-of-the-box" is a buzz word, security is a process, not a
product) to accomplish well his job.

All of this, IMHO, obviously.

My 0.2 cents.

-- 
Principal Snyder: "This is great!  Let's do donuts in the football field."
--Buffy the Vampire Slayer: Band Candy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Hey, dude, it's me ^_^ :P (SpamEnder: BLOCKED C2EB-SE60215-debian-security@lists.debian.org)

[Maurizio Lemmo - Tannoiser]

On lunedì 29 marzo 2004, alle 17:09, Andy Tunstall wrote:
> In an effort to eliminate unsolicited e-mail, I have installed
> SpamEnder.  Please REPLY to this e-mail, without modifying the subject
> line, so that I can receive your original message. Upon my approval,
> future e-mails you send to me will be released automatically. If you
> do not REPLY to this e-mail, SpamEnder will block all future e-mails
> from this address and will not give you another opportunity to reply.

I don't think this is a great idea. Not all the reader of this list,
could have time to do this, also, what about "new subscriber"?

This isn't a solution, IMHO.

-- 
Cordelia: "Well, obviously, Kevin has underestimated the power of my icy
stare." 
--Buffy the Vampire Slayer: Prophecy Girl

Re: downgrade to stable

[Maurizio Lemmo - Tannoiser]

On lunedì 29 marzo 2004, alle 18:23, Rudolf Lohner wrote:
> I succeeded in doing this a few months ago. It was a bit tricky.
> This is why I reported my experiences to the debian-testing list:
> 
> http://lists.debian.org/debian-testing/2003/debian-testing-200307/msg00039.html

I pass through this downgrade several times, 'cause my young sysadmin
are too "experimental", but i didn't find it "tricky".

Maybe, 'cause i used dist-upgrade, instead of upgrade.

Yes, i had to run it a couple of times, but, nothing that apt couldn't
handle.

-- 
Xander: "Cordelia! I don't wanna' hurt you...some of the time."
--Buffy the Vampire Slayer: Bad Eggs

Re: Hey, dude, it's me ^_^ :P (SpamEnder: BLOCKED C2EB-SE60215-debian-security@lists.debian.org)

[Maurizio Lemmo - Tannoiser]

On lunedì 29 marzo 2004, alle 17:09, Andy Tunstall wrote:
> In an effort to eliminate unsolicited e-mail, I have installed
> SpamEnder.  Please REPLY to this e-mail, without modifying the subject
> line, so that I can receive your original message. Upon my approval,
> future e-mails you send to me will be released automatically. If you
> do not REPLY to this e-mail, SpamEnder will block all future e-mails
> from this address and will not give you another opportunity to reply.

I don't think this is a great idea. Not all the reader of this list,
could have time to do this, also, what about "new subscriber"?

This isn't a solution, IMHO.

-- 
Cordelia: "Well, obviously, Kevin has underestimated the power of my icy
stare." 
--Buffy the Vampire Slayer: Prophecy Girl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: downgrade to stable

[Maurizio Lemmo - Tannoiser]

On lunedì 29 marzo 2004, alle 18:23, Rudolf Lohner wrote:
> I succeeded in doing this a few months ago. It was a bit tricky.
> This is why I reported my experiences to the debian-testing list:
> 
> http://lists.debian.org/debian-testing/2003/debian-testing-200307/msg00039.html

I pass through this downgrade several times, 'cause my young sysadmin
are too "experimental", but i didn't find it "tricky".

Maybe, 'cause i used dist-upgrade, instead of upgrade.

Yes, i had to run it a couple of times, but, nothing that apt couldn't
handle.

-- 
Xander: "Cordelia! I don't wanna' hurt you...some of the time."
--Buffy the Vampire Slayer: Bad Eggs


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: downgrade to stable

[Maurizio Lemmo - Tannoiser]

On lunedì 29 marzo 2004, alle 16:49, Costas Magkos wrote:
> Hi debian people,
> 
> Is there a way to downgrade to stable, after having apt-get dist-upgrade 
> to testing?

Yes, via apt_preferences.

just:

- edit/create /etc/apt/preferences
- insert a voice like this:

Package: *
Pin: release a=stable
Pin-Priority: 1001

then update/dist-upgrade as usual.

More info in the apt_preferences man page.

-- 
Mal: 'Course, they won't discover it 'til they order the next round of drinks.
Thug: Way.
Mal: Good drinker, that one.
-- Shindig

Re: downgrade to stable

[Maurizio Lemmo - Tannoiser]

On lunedì 29 marzo 2004, alle 16:49, Costas Magkos wrote:
> Hi debian people,
> 
> Is there a way to downgrade to stable, after having apt-get dist-upgrade 
> to testing?

Yes, via apt_preferences.

just:

- edit/create /etc/apt/preferences
- insert a voice like this:

Package: *
Pin: release a=stable
Pin-Priority: 1001

then update/dist-upgrade as usual.

More info in the apt_preferences man page.

-- 
Mal: 'Course, they won't discover it 'til they order the next round of drinks.
Thug: Way.
Mal: Good drinker, that one.
-- Shindig


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Current Stable Kernel 2.4.18 Source deb ?

[Maurizio Lemmo - Tannoiser]

On sabato 03 gennaio 2004, alle 05:26, Nick Boyce wrote:
> I'd be grateful if someone could please try to deconfuse me about what
> the current stable kernel 2.4.18 source package is ..
> 
> DSA 403-1 (http://www.debian.org/security/2003/dsa-403) states that
> the do_brk security hole was fixed in vanilla kernel 2.4.23, and that
> 
>   "For Debian it has been fixed in version 2.4.18-12 of 
>   the kernel source packages, version 2.4.18-14 of the 
>   i386 kernel images and version 2.4.18-11 of the alpha 
>   kernel images"

I think this was simply a mistake. It's nonsense that image is more
update from the source it came from. I think they invert the version
number, in the mail message.

Actually:

[EMAIL PROTECTED]:~$ apt-cache show kernel-image-2.4.18-1-686 | grep Version
Version: 2.4.18-12
[EMAIL PROTECTED]:~$ apt-cache show kernel-source-2.4.18 | grep Version
Version: 2.4.18-14
Version: 2.4.18-13

source fixed is 2.4.18-14 and image fixed is 2.4.18-12.

It's my opinion, but, i think it's correct.

-- 
Buffy: "Anya seems a bit edgy."
Willow: "She's a little antsy around commando-types. Ex-demon issues."
--Buffy the Vampire Slayer: The I In Team

Re: Current Stable Kernel 2.4.18 Source deb ?

[Maurizio Lemmo - Tannoiser]

On sabato 03 gennaio 2004, alle 05:26, Nick Boyce wrote:
> I'd be grateful if someone could please try to deconfuse me about what
> the current stable kernel 2.4.18 source package is ..
> 
> DSA 403-1 (http://www.debian.org/security/2003/dsa-403) states that
> the do_brk security hole was fixed in vanilla kernel 2.4.23, and that
> 
>   "For Debian it has been fixed in version 2.4.18-12 of 
>   the kernel source packages, version 2.4.18-14 of the 
>   i386 kernel images and version 2.4.18-11 of the alpha 
>   kernel images"

I think this was simply a mistake. It's nonsense that image is more
update from the source it came from. I think they invert the version
number, in the mail message.

Actually:

[EMAIL PROTECTED]:~$ apt-cache show kernel-image-2.4.18-1-686 | grep Version
Version: 2.4.18-12
[EMAIL PROTECTED]:~$ apt-cache show kernel-source-2.4.18 | grep Version
Version: 2.4.18-14
Version: 2.4.18-13

source fixed is 2.4.18-14 and image fixed is 2.4.18-12.

It's my opinion, but, i think it's correct.

-- 
Buffy: "Anya seems a bit edgy."
Willow: "She's a little antsy around commando-types. Ex-demon issues."
--Buffy the Vampire Slayer: The I In Team


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ptrace exploit

[Maurizio Lemmo - Tannoiser]

On sabato 12 aprile 2003, alle 16:48, Markus Kolb wrote:
> >Nono, that's not what I'm asking... My question is, literally, _why_
> >doesn't woody have such a patch? (I applied it on my systems, I'm just
> >wondering why there isn't an official patch for this (Official for
> >Debian).
> 
> Perhaps, because there was no bug report against these packages?!

There's a bug report.

For what i can see, there's the 2.4.20-patched in proposed-updated.
Maybe, this is the reason.

Or, 'cause the patch is actually a workaround, some software (say
netsaints, or nagios, i don't remember), dislike this "new bugfix" and
doesn't work.

-- 
Faith:  "Gee, if doing violence to vampires upsets you, I think you're in the
wrong line of work."
--Buffy the Vampire Slayer: Faith, Hope & Trick

Re: ptrace exploit

[Maurizio Lemmo - Tannoiser]

On sabato 12 aprile 2003, alle 06:45, Birzan George Cristian wrote:
> This might be a stupid question, I know, but, why isn't there a patch
> for the ptrace exploit, for the Woody kernel-source? 

I'll backport the patch for the same reason (realibility of 2.4.18).
The people that use it, didn't yell yet, so i guess it's working :)

you find here:

http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch

hope useful.

-- 
Buffy: "Judgemental? If I was any more open-minded about the choices you two 
make, my whole brain would fall out."
--Buffy the Vampire Slayer: The Yoko Factor

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

[Maurizio Lemmo - Tannoiser]

On martedì 01 aprile 2003, alle 14:20, DouRiX wrote:
> but isn't there a trick to surpass the bug while waiting for debian 
> updates ?

Actually, yes.

But i'm not really sure if it's a "good" workaorund. Anyway:

if you disable automatic loading module (a kernel feature), you may
ignore this vulnerability.

You may do this with:

echo "whatever" > /proc/sys/kernel/modprobe

So, whenever some automatism invoke this, produce an error.
Unfortunately, you may not discriminate what process can do this
safetely and wich not.

In a server enviroment, where there no need to load modules at run-time,
could be a "usable workaorund", but, in a workstation machine, i don't
think thats a great idea.

So, its prefereable, to get the patch and recompile the kernel, or take
the 2.4.20-patched kernel in proposed update.

my 0.2 cents.

> or won't be there a 2.4.18 update ? :)

I never seen a "kernel update", you may install different copy of them.

I suppose that will not be upgraded for this reason, and when will be
available the 2.4.20 (when it will be well tested) simply you could
install it.

meanwhile... (this is why i backported the patch. i like stable thinks.
2.4.18 run great for me. i'm not hurry for the new-verynew-release).

forgive my english.

-- 
Buffy: "Is this a get-in-my-pants thing? You guys in Sunnydale talk 
   like I'm the second coming."
--Buffy the Vampire Slayer: The Wish

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

[Maurizio Lemmo - Tannoiser]

On martedì 01 aprile 2003, alle 14:20, DouRiX wrote:
> but isn't there a trick to surpass the bug while waiting for debian 
> updates ?

Actually, yes.

But i'm not really sure if it's a "good" workaorund. Anyway:

if you disable automatic loading module (a kernel feature), you may
ignore this vulnerability.

You may do this with:

echo "whatever" > /proc/sys/kernel/modprobe

So, whenever some automatism invoke this, produce an error.
Unfortunately, you may not discriminate what process can do this
safetely and wich not.

In a server enviroment, where there no need to load modules at run-time,
could be a "usable workaorund", but, in a workstation machine, i don't
think thats a great idea.

So, its prefereable, to get the patch and recompile the kernel, or take
the 2.4.20-patched kernel in proposed update.

my 0.2 cents.

> or won't be there a 2.4.18 update ? :)

I never seen a "kernel update", you may install different copy of them.

I suppose that will not be upgraded for this reason, and when will be
available the 2.4.20 (when it will be well tested) simply you could
install it.

meanwhile... (this is why i backported the patch. i like stable thinks.
2.4.18 run great for me. i'm not hurry for the new-verynew-release).

forgive my english.

-- 
Buffy: "Is this a get-in-my-pants thing? You guys in Sunnydale talk 
   like I'm the second coming."
--Buffy the Vampire Slayer: The Wish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

[Maurizio Lemmo - Tannoiser]

On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
> Does someone know where is debian about this issue ?
> 
> 

i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.

For my puorpose, i've backported that patch, for work with kernel 2.4.18
(from debian).

works for me.

patch with:

cd /path/to/source
patch -p1 < /path/to/patch

you may find it here:

http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch

(there also a kernel image bf2.4 with patch incorporated, if you trust
me.. :) )

-- 
Master: "You killed the girl that sought the Slayer?"
Xander: "It was too easy."
Willow: "I felt cheap."
--Buffy the Vampire Slayer: The Wish

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

[Maurizio Lemmo - Tannoiser]

On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
> Does someone know where is debian about this issue ?
> 
> 

i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.

For my puorpose, i've backported that patch, for work with kernel 2.4.18
(from debian).

works for me.

patch with:

cd /path/to/source
patch -p1 < /path/to/patch

you may find it here:

http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch

(there also a kernel image bf2.4 with patch incorporated, if you trust
me.. :) )

-- 
Master: "You killed the girl that sought the Slayer?"
Xander: "It was too easy."
Willow: "I felt cheap."
--Buffy the Vampire Slayer: The Wish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]