Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
Hello, Michael S. Gilbert michael.s.gilb...@gmail.com: Will there also be a fix for etch's 2.6.18 kernel? yes, dsa-1865 was issued for etch's 2.6.18 yesterday. Thank you. I was confused because the 2.6.18 fix was not mentioned on http://www.debian.org/security/ . I know that not all the security announcements go there, but why is the 2.6.24 fix listed but 2.6.18 is not? Is 2.6.24 considered as the 'default' etch kernel? Regards, Harald -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
On 18 Aug 2009 10:54:04 GMT, Harald Weidner wrote: Hello, Michael S. Gilbert michael.s.gilb...@gmail.com: Will there also be a fix for etch's 2.6.18 kernel? yes, dsa-1865 was issued for etch's 2.6.18 yesterday. Thank you. I was confused because the 2.6.18 fix was not mentioned on http://www.debian.org/security/ . I know that not all the security announcements go there, but why is the 2.6.24 fix listed but 2.6.18 is not? Is 2.6.24 considered as the 'default' etch kernel? sometimes the webscripts fail when the DSA is not formatted correctly. you can send an email to the www team if a DSA does not show up. there has already been some discussion to make DSA preparers better aware of the requirements of the webscripts. mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
On Tue, Aug 18, 2009 at 10:54:04AM +, Harald Weidner wrote: Hello, Michael S. Gilbert michael.s.gilb...@gmail.com: Will there also be a fix for etch's 2.6.18 kernel? yes, dsa-1865 was issued for etch's 2.6.18 yesterday. Thank you. no problem I was confused because the 2.6.18 fix was not mentioned on http://www.debian.org/security/ . This web page isn't meant to be a notification mechanism - the debian-security-announce list is the place to watch for updates. The web page is populated later. I know that not all the security announcements go there, but why is the 2.6.24 fix listed but 2.6.18 is not? Is 2.6.24 considered as the 'default' etch kernel? 2.6.18 and 2.6.24 are equally supported for etch. -- dann frazier -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
Hello, dann frazier da...@dannf.org: The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's 2.6.24 kernel. Will there also be a fix for etch's 2.6.18 kernel? Harald -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
On 17 Aug 2009 14:20:24 GMT, Harald Weidner wrote: Hello, dann frazier da...@dannf.org: The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's 2.6.24 kernel. Will there also be a fix for etch's 2.6.18 kernel? yes, dsa-1865 was issued for etch's 2.6.18 yesterday. mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
On Mon, Aug 17, 2009 at 02:20:24PM +, Harald Weidner wrote: Hello, dann frazier da...@dannf.org: The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's 2.6.24 kernel. Will there also be a fix for etch's 2.6.18 kernel? http://lists.debian.org/debian-security-announce/2009/msg00182.html -- dann frazier -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
Buenas tardes. Creo que es el mismo error del otro dia, el id es el mismo, de eso estoy seguro. CVE Id(s) : CVE-2009-2692 Aun asi mañana miraré si hay un nuevo kernel o no. Un saludo -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1864-1secur...@debian.org http://www.debian.org/security/ Dann Frazier Aug 16, 2009http://www.debian.org/security/faq - -- Package: linux-2.6.24 Vulnerability : privilege escalation Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-2692 A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. For the oldstable distribution (etch), this problem has been fixed in version 2.6.24-6~etchnhalf.8etch3. We recommend that you upgrade your linux-2.6.24 packages. Note: Debian 'etch' includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian 'etch' concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or leap-frog fashion. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Oldstable updates are available for alpha, amd64, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. The arm update will be released once the build becomes available. Source archives: http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-2.6.24_2.6.24-6~etchnhalf.8etch3.dsc Size/MD5 checksum: 5117 260db0dd510bc8ae520d70d8f2d777a7 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-2.6.24_2.6.24-6~etchnhalf.8etch3.diff.gz Size/MD5 checksum: 4042082 086b8b219adb642aea83d54aff143ca4 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-2.6.24_2.6.24.orig.tar.gz Size/MD5 checksum: 59630522 6b8751d1eb8e71498ba74bbd346343af Architecture independent packages: http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-support-2.6.24-etchnhalf.1_2.6.24-6~etchnhalf.8etch3_all.deb Size/MD5 checksum:97098 e4397c771b232a614bb9a71bedcdbb95 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-patch-debian-2.6.24_2.6.24-6~etchnhalf.8etch3_all.deb Size/MD5 checksum: 932316 e2a6efbb1a3efbfead7ed4c0ce505b07 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-manual-2.6.24_2.6.24-6~etchnhalf.8etch3_all.deb Size/MD5 checksum: 1544288 aa3d7bda9d030128966127256dcbcee2 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-source-2.6.24_2.6.24-6~etchnhalf.8etch3_all.deb Size/MD5 checksum: 46863740 a61a335af22645db849cd8eb505ac0af http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-tree-2.6.24_2.6.24-6~etchnhalf.8etch3_all.deb Size/MD5 checksum:82706 155fbfde7a84b13d3ec47e736974417f http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-doc-2.6.24_2.6.24-6~etchnhalf.8etch3_all.deb Size/MD5 checksum: 4262452 a52a4d41a03e278f55b4a8a25d9ef4a8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-headers-2.6.24-etchnhalf.1-all-alpha_2.6.24-6~etchnhalf.8etch3_alpha.deb Size/MD5 checksum:82304 48ea456ff4fe13e7f31da69a7dc35ba0 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-headers-2.6.24-etchnhalf.1-alpha-smp_2.6.24-6~etchnhalf.8etch3_alpha.deb Size/MD5 checksum: 328286 f16d82a2cca45c9f72c54e0089c525f4 http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-image-2.6.24-etchnhalf.1-alpha-generic_2.6.24-6~etchnhalf.8etch3_alpha.deb Size/MD5 checksum: 26639542 32dd7c467e6d7587535cfe64931ceb0c
Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
On Sun, Aug 16, 2009 at 07:00:59PM +0200, marodrig...@grupogdt.com wrote: Buenas tardes. Creo que es el mismo error del otro dia, el id es el mismo, de eso estoy seguro. CVE Id(s) : CVE-2009-2692 Aun asi mañana miraré si hay un nuevo kernel o no. Un saludo The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's 2.6.24 kernel. -- dann frazier -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
