Re: [SECURITY] [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
Dimitar Dobrev [EMAIL PROTECTED] writes: Hi All, i have build my kernel from source 2.6.18 + debian patches. But after every step when configuring the RAID i have rebuild it - |mkinitrd -o /boot/initrd.img-2.6.18-temp /lib/modules/2.6.18/ cp ||/boot/initrd.img-2.6.18-temp ||boot/initrd.img-2.6.18| | My question is: What will happen to my software RAID when i rebuid my kernel? Will it function propertly after recompiling the new source? Regards Dimitar I never had any problems with my software raid on kernel updates. I don't know what you did but it shouldn't happen. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
On Thu, Aug 16, 2007 at 09:44:12AM +0200, Bj?rn Mork wrote: dann frazier [EMAIL PROTECTED] writes: If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages This won't work unless there are updated linux-image-2.6-* packages in security, will it? And even then, a dist-upgrade would be needed. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
On Thu, Aug 16, 2007 at 09:34:58AM +0100, Dominic Hargreaves wrote: And even then, a dist-upgrade would be needed. Sorry to be replying to myself. Of course, this will also need module-assistant style (and any other) out-of-tree modules to be rebuilt; I can't remember whether there's ever been a kernel ABI bump in a stable release before, but IMO this update certainly warrants something other than the standard boilerplate in the advisory. Or, to put it another way, dist-upgrade (as indicated above) isn't safe and so shouldn't be recommended without further qualification. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
Hi All, i have build my kernel from source 2.6.18 + debian patches. But after every step when configuring the RAID i have rebuild it - |mkinitrd -o /boot/initrd.img-2.6.18-temp /lib/modules/2.6.18/ cp ||/boot/initrd.img-2.6.18-temp ||boot/initrd.img-2.6.18| | My question is: What will happen to my software RAID when i rebuid my kernel? Will it function propertly after recompiling the new source? Regards Dimitar |dann frazier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1356-1[EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier August 15th, 2007 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : several Problem-Type : local/remote Debian-specific: no CVE ID : CVE-2007-1353 CVE-2007-2172 CVE-2007-2453 CVE-2007-2525 CVE-2007-2876 CVE-2007-3513 CVE-2007-3642 CVE-2007-3848 CVE-2007-3851 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. CVE-2007-2453 A couple of issues with random number generation were discovered. Slightly less random numbers resulted from hashing a subset of the available entropy. zero-entropy systems were seeded with the same inputs at boot time, resulting in repeatable series of random numbers. CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. CVE-2007-2876 Vilmos Nebehaj discovered a NULL pointer dereference condition in the netfilter subsystem. This allows remote systems which communicate using the SCTP protocol to crash a system by creating a connection with an unknown chunk type. CVE-2007-3513 Oliver Neukum reported an issue in the usblcd driver which, by not limiting the size of write buffers, permits local users with write access to trigger a DoS by consuming all available memory. CVE-2007-3642 Zhongling Wen reported an issue in nf_conntrack_h323 where the lack of range checking may lead to NULL pointer dereferences. Remote attackers could exploit this to create a DoS condition (system crash). CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. CVE-2007-3851 Dave Airlie reported that Intel 965 and above chipsets have relocated their batch buffer security bits. Local X server users may exploit this to write user data to arbitrary physical memory addresses. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch1. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch4 user-mode-linux 2.6.18-1um-2etch3 We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - Source archives: http://security.debian.org/pool/updates/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-13etch1.dsc Size/MD5 checksum: 5672
Re: [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
On Thu, Aug 16, 2007 at 09:44:12AM +0200, Bj?rn Mork wrote: dann frazier [EMAIL PROTECTED] writes: If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages This won't work unless there are updated linux-image-2.6-* packages in security, will it? This is an update on top of 4.0r1 which is hitting mirrors now and includes updated versions of linux-latest-2.6. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
Ok i already tested it - i booted into my raid with the new precompiled kernel image without any problems! Regards Dimitar Dimitar Dobrev wrote: Hi All, i have build my kernel from source 2.6.18 + debian patches. But after every step when configuring the RAID i have rebuild it - |mkinitrd -o /boot/initrd.img-2.6.18-temp /lib/modules/2.6.18/ cp ||/boot/initrd.img-2.6.18-temp ||boot/initrd.img-2.6.18| | My question is: What will happen to my software RAID when i rebuid my kernel? Will it function propertly after recompiling the new source? Regards Dimitar |dann frazier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1356-1 [EMAIL PROTECTED] http://www.debian.org/security/ Dann Frazier August 15th, 2007 http://www.debian.org/security/faq - -- Package: linux-2.6 Vulnerability : several Problem-Type : local/remote Debian-specific: no CVE ID : CVE-2007-1353 CVE-2007-2172 CVE-2007-2453 CVE-2007-2525 CVE-2007-2876 CVE-2007-3513 CVE-2007-3642 CVE-2007-3848 CVE-2007-3851 Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. CVE-2007-2453 A couple of issues with random number generation were discovered. Slightly less random numbers resulted from hashing a subset of the available entropy. zero-entropy systems were seeded with the same inputs at boot time, resulting in repeatable series of random numbers. CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. CVE-2007-2876 Vilmos Nebehaj discovered a NULL pointer dereference condition in the netfilter subsystem. This allows remote systems which communicate using the SCTP protocol to crash a system by creating a connection with an unknown chunk type. CVE-2007-3513 Oliver Neukum reported an issue in the usblcd driver which, by not limiting the size of write buffers, permits local users with write access to trigger a DoS by consuming all available memory. CVE-2007-3642 Zhongling Wen reported an issue in nf_conntrack_h323 where the lack of range checking may lead to NULL pointer dereferences. Remote attackers could exploit this to create a DoS condition (system crash). CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. CVE-2007-3851 Dave Airlie reported that Intel 965 and above chipsets have relocated their batch buffer security bits. Local X server users may exploit this to write user data to arbitrary physical memory addresses. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch1. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch4 user-mode-linux 2.6.18-1um-2etch3 We recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch -
Re: [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
On Thu, Aug 16, 2007 at 09:34:58AM +0100, Dominic Hargreaves wrote: On Thu, Aug 16, 2007 at 09:44:12AM +0200, Bj?rn Mork wrote: dann frazier [EMAIL PROTECTED] writes: If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages This won't work unless there are updated linux-image-2.6-* packages in security, will it? And even then, a dist-upgrade would be needed. This update is based on 4.0r1 which includes the ABI change. Upgrading from 4.0r1 does not require a dist-upgrade. The timing was admittedly awkward as the security update hit before the mirrors synced 4.0r1, but it also has the benefit of preventing people from upgrading to the 4.0r1 kernel and then immediately having to upgrade to grab the security fixes. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1356-1] New Linux 2.6.18 packages fix several vulnerabilities
On Thu, Aug 16, 2007 at 10:08:18AM +0100, Dominic Hargreaves wrote: On Thu, Aug 16, 2007 at 09:34:58AM +0100, Dominic Hargreaves wrote: And even then, a dist-upgrade would be needed. Sorry to be replying to myself. Of course, this will also need module-assistant style (and any other) out-of-tree modules to be rebuilt; I can't remember whether there's ever been a kernel ABI bump in a stable release before, sarge has had 3 ABI bumps - one for 2.4, two for 2.6 but IMO this update certainly warrants something other than the standard boilerplate in the advisory. If the ABI change was introduced by the security update I'd agree - but technically it was introduced by 4.0r1 (which includes rebuilds of the various linux-modules- packages). The ABI change is noted in the 4.0r1 announcement. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]