Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
Hi, On Fri Dec 28, 2007 at 19:19:50 -0500, Jim Popovitch wrote: On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote: On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: However, I cannot see any security announcement for most of these. Were they updated because of the security fix for tar? If yes, why doesn’t the security announcement mention that updated versions are available also for those packages? see http://lists.debian.org/debian-announce/debian-announce-2007/msg4.html Martin, First, I (and many others) appreciate your and everyone else's work on Debian. That said, I too am confused by the latest Debian 4.0 release. It seems to me that, in the past, all Debian patches were released with DSAs (why patch w/o a DSA?), and that further updates to the core release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of previously issued DSAs. I don't recall new functionality ever being added in a core release update bundle (although I could be wrong). You are (mostly) wrong here. Most of the packages mentioned under Miscellaneous Bugfixes in the Release Announcement are just bug fixes, several of them also have CVE numbers, of which the security team thinks which are not so important to fix. Others just add missing dependencies without those the package would not be able to run. Also other packages just get RC bugs fixed. The only package which got REAL updates this time was the Debian Linux Kernel, to support eg. SGI o2 machines. Also some (sub-)architectures were missing some important kernel modules the other (sub-)archtitectures had, so we considered that as worth for updating the kernel. Consider that some people, such as myself, only update servers based on review of public DSA statements. Yet now we find ourselves with multiple days of updates to multiple pkgs, but no corresponding DSA announcements to cross reference for validity (which can easily make one suspect a mirror has been hacked). Thus we try to send out the announcement to that 'point release' very short after packages have been pushed out to the mirrors (read as in: within one day). We cannot send it directly after the dinstall process, as only the tier-1 mirrors then would have those packages, but not tier-2 and tier-3 mirrors. Also consider some mirrors only update by cron twice a day. Since I'm not the only one confused by the recent updates, can we get some clarification on this process please. Specifically, is it currently Debian policy to release non-critical pkg updates, i.e. releases without DSAs, in periodic core release rollups? (is this new or has it been so in the past?) Could Debian be better served by calling the rollup (including new non-critical updates) a new release (i.e 4.1)? These releases are called 'point releases' and are prepared publicly. Preperation mails to these point releases are periodicly sent to [EMAIL PROTECTED] Also prior releases had 'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous Bugfixes' just got a bit bigger, as the last point releases was for various reasons not 2 but 6 month ago. Also my predecessor, Joey Schulze, was much more strict regarding 'Miscellaneous Bugfixes', and several Debian Developers expressed the wish that his rules should be eased a bit. We are still very strict regarding these bugfixes but not as strict as he was. I hereby will also say that these bugfixes (and point releases) will happen in future as well, so be prepared to it. You really should read [EMAIL PROTECTED], as all these updates will be announced to that mailing list. Hope that eMail helps a bit to clarify. Greetings Martin [1] http://lists.debian.org/debian-release/2007/12/msg00203.html or http://lists.debian.org/debian-release/2007/12/msg00254.html [2] http://lists.debian.org/debian-announce/debian-announce-2007/msg3.html or http://lists.debian.org/debian-announce/debian-announce-2007/msg0.html -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
In article [EMAIL PROTECTED] you wrote: These releases are called 'point releases' and are prepared publicly. Preperation mails to these point releases are periodicly sent to [EMAIL PROTECTED] Also prior releases had 'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous Bugfixes' just got a bit bigger, as the last point releases was for various reasons not 2 but 6 month ago. Hmmm, I think pushing point releases via the package pool and preparing a new release directory would limit the confusion. I dont see a need to make those packages available on security.d.o. I think in the past we did exactly that with proposed-updates. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: These releases are called 'point releases' and are prepared publicly. Preperation mails to these point releases are periodicly sent to [EMAIL PROTECTED] Also prior releases had 'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous Bugfixes' just got a bit bigger, as the last point releases was for various reasons not 2 but 6 month ago. Hmmm, I think pushing point releases via the package pool and preparing a new release directory would limit the confusion. I dont see a need to make those packages available on security.d.o. I think in the past we did exactly that with proposed-updates. There is no difference now, they are not available via security.debian.org. apt-cache policy pkg will tell you were they come from if you are in doubt. Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
Am Freitag, 28. Dezember 2007 16:29 schrieb Florian Weimer: Debian Security Advisory DSA-1438-1 [EMAIL PROTECTED] http://www.debian.org/security/ Florian Weimer December 28, 2007 http://www.debian.org/security/faq Package: tar Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-4131, CVE-2007-4476 Several vulnerabilities have been discovered in GNU Tar. Hello, during the last six days, updates of the following packages were available via security.debian.org: debconf debconf-i18n findutils klibc-utils libc6 libc6-i386 libklibc libpam-modules libpam-runtime libpam0g linux-image-2.6.18-5-amd64 locales tar tzdata However, I cannot see any security announcement for most of these. Were they updated because of the security fix for tar? If yes, why doesn’t the security announcement mention that updated versions are available also for those packages? Best wishes, Wolfgang
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
Hi, On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: Am Freitag, 28. Dezember 2007 16:29 schrieb Florian Weimer: Debian Security Advisory DSA-1438-1 [EMAIL PROTECTED] http://www.debian.org/security/ Florian Weimer December 28, 2007 http://www.debian.org/security/faq Package: tar Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-4131, CVE-2007-4476 Several vulnerabilities have been discovered in GNU Tar. Hello, during the last six days, updates of the following packages were available via security.debian.org: wrong. debconf debconf-i18n findutils klibc-utils libc6 libc6-i386 libklibc libpam-modules libpam-runtime libpam0g linux-image-2.6.18-5-amd64 locales tar tzdata However, I cannot see any security announcement for most of these. Were they updated because of the security fix for tar? If yes, why doesn’t the security announcement mention that updated versions are available also for those packages? see http://lists.debian.org/debian-announce/debian-announce-2007/msg4.html -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote: On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: However, I cannot see any security announcement for most of these. Were they updated because of the security fix for tar? If yes, why doesn’t the security announcement mention that updated versions are available also for those packages? see http://lists.debian.org/debian-announce/debian-announce-2007/msg4.html Martin, First, I (and many others) appreciate your and everyone else's work on Debian. That said, I too am confused by the latest Debian 4.0 release. It seems to me that, in the past, all Debian patches were released with DSAs (why patch w/o a DSA?), and that further updates to the core release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of previously issued DSAs. I don't recall new functionality ever being added in a core release update bundle (although I could be wrong). Consider that some people, such as myself, only update servers based on review of public DSA statements. Yet now we find ourselves with multiple days of updates to multiple pkgs, but no corresponding DSA announcements to cross reference for validity (which can easily make one suspect a mirror has been hacked). Since I'm not the only one confused by the recent updates, can we get some clarification on this process please. Specifically, is it currently Debian policy to release non-critical pkg updates, i.e. releases without DSAs, in periodic core release rollups? (is this new or has it been so in the past?) Could Debian be better served by calling the rollup (including new non-critical updates) a new release (i.e 4.1)? Thank you for helping to clarify. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
Jim Popovitch wrote: On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote: On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: However, I cannot see any security announcement for most of these. Were they updated because of the security fix for tar? If yes, why doesn’t the security announcement mention that updated versions are available also for those packages? see http://lists.debian.org/debian-announce/debian-announce-2007/msg4.html Martin, First, I (and many others) appreciate your and everyone else's work on Debian. That said, I too am confused by the latest Debian 4.0 release. It seems to me that, in the past, all Debian patches were released with DSAs (why patch w/o a DSA?), and that further updates to the core release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of previously issued DSAs. I don't recall new functionality ever being added in a core release update bundle (although I could be wrong). Consider that some people, such as myself, only update servers based on review of public DSA statements. Yet now we find ourselves with multiple days of updates to multiple pkgs, but no corresponding DSA announcements to cross reference for validity (which can easily make one suspect a mirror has been hacked). Since I'm not the only one confused by the recent updates, can we get some clarification on this process please. Specifically, is it currently Debian policy to release non-critical pkg updates, i.e. releases without DSAs, in periodic core release rollups? (is this new or has it been so in the past?) Could Debian be better served by calling the rollup (including new non-critical updates) a new release (i.e 4.1)? No, the updates you are seeing are release critical, but not perse security related. DSAs only cover severe security issues, a point release covers both DSAs and other release critical package updates. This has always been the case, though currently we probably try to fix more release critical issues than in the past. Every point release is announced on [EMAIL PROTECTED] including the list of updated packages and a reason why they are updated. Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]