Re: Upgrading Kernels...
As a member of the mass of slightly advanced skills trying to use Debian for their typical day-to-day server needs, I am put rather off-balance by the issues presented by the recent kernel compromise. I have an installation that has run quite well, and have been running regular upgrades on the system. However, it did not dawn on me until now that I should have installed a custom kernel after installation, let alone compiled my own. However, it is rather unfortunate that at a time where probably a record number of individuals are wondering about kernel issues, the Kernel HOWTO has been removed from the site without any further clarifications. I think that to alleviate the fears of this group of users, a step-by-step guide should be made available on www.debian.org and/or security.debian.org describing the steps to be taken to: - Determine if user systems are afflicted by the kernel exploit - Rectify the issue, possibly by updating the kernel Such a guide should list a recommended kernel version for a stable Debian installation, and should preferably not advice users to roll their own kernels, since many users have no desire to start such explorations as a response to this issue. I believe that this issue has caused serious doubts for many users about the possibility of running a typical secure linux server with medium sysadmin skills. As I gather, running apt-get upgrade is not sufficient to patch a vulnerable system for this exploit, meaning that the method recommended for Keeping your Debian system secure on security.debian.org is insufficient. _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
I believe that this issue has caused serious doubts for many users about the possibility of running a typical secure linux server with medium sysadmin skills. As I gather, running apt-get upgrade is not sufficient to patch a vulnerable system for this exploit, meaning that the method recommended for Keeping your Debian system secure on security.debian.org is insufficient. Those doubts may be well-founded. While no one should rely only on apt and security.debian.org, it cannot be doubted that the ease of using this mechanism lures people into a false sense of security. The fact that kernels are not automatically upgraded compounds the issue. Upgrading kernels automatically, ala up2date and windows update, is certainly a bad idea. Even having a kernel in the not-upgraded output from apt may not be obvious to all users, especially when there may be risks involved. Perhaps another mechanism could be devised that warns the users during apt-get upgrade that an important security fix is available and that package needs to be installed manually. I'm thinking something along the lines of a critical-update package that is never held back. During installation, verbose text could be displayed (whiptail, etc...) explaining the importance of the upgrade as well as any caveats associated with it. The package itself would not install any software, only serve as a warning. Just an idea. I apologize if this has already been discussed. Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
On Sun, Dec 07, 2003 at 06:11:52PM +, Magn?s ??r Torfason wrote: As a member of the mass of slightly advanced skills trying to use Debian for their typical day-to-day server needs, I am put rather off-balance by the issues presented by the recent kernel compromise. I have an installation that has run quite well, and have been running regular upgrades on the system. However, it did not dawn on me until now that I should have installed a custom kernel after installation, let alone compiled my own. However, it is rather unfortunate that at a time where probably a record number of individuals are wondering about kernel issues, the Kernel HOWTO has been removed from the site without any further clarifications. I think that to alleviate the fears of this group of users, a step-by-step guide should be made available on www.debian.org and/or security.debian.org describing the steps to be taken to: - Determine if user systems are afflicted by the kernel exploit - Rectify the issue, possibly by updating the kernel Such a guide should list a recommended kernel version for a stable Debian installation, and should preferably not advice users to roll their own kernels, since many users have no desire to start such explorations as a response to this issue. I believe that this issue has caused serious doubts for many users about the possibility of running a typical secure linux server with medium sysadmin skills. As I gather, running apt-get upgrade is not sufficient to patch a vulnerable system for this exploit, meaning that the method recommended for Keeping your Debian system secure on security.debian.org is insufficient. I have built kernels under Debian without benefit of Kernel HOWTO. Instead I use the debian kernel-package tool. It has a man page that tells you exactly what to do to build a 'private' kernel from kernel-source package. Kernel HOWTO tells you all sorts of stuff that is simply wrong for debian (tm). -- Paul E Condon [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
I believe that this issue has caused serious doubts for many users about the possibility of running a typical secure linux server with medium sysadmin skills. As I gather, running apt-get upgrade is not sufficient to patch a vulnerable system for this exploit, meaning that the method recommended for Keeping your Debian system secure on security.debian.org is insufficient. Those doubts may be well-founded. While no one should rely only on apt and security.debian.org, it cannot be doubted that the ease of using this mechanism lures people into a false sense of security. The fact that kernels are not automatically upgraded compounds the issue. Upgrading kernels automatically, ala up2date and windows update, is certainly a bad idea. Even having a kernel in the not-upgraded output from apt may not be obvious to all users, especially when there may be risks involved. Perhaps another mechanism could be devised that warns the users during apt-get upgrade that an important security fix is available and that package needs to be installed manually. I'm thinking something along the lines of a critical-update package that is never held back. During installation, verbose text could be displayed (whiptail, etc...) explaining the importance of the upgrade as well as any caveats associated with it. The package itself would not install any software, only serve as a warning. Just an idea. I apologize if this has already been discussed. Cheers, Michael
Re: Upgrading Kernels...
On Thursday 04 December 2003 18:48, Eric D Nielsen wrote: I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. OK. I'm a rather new user myself, but to ease the workload on the security team, who allready have their hands ful, I'll attempt an answer, but I basically just reiterate what I've heard here... :-) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? Yep. If you check the recent archives of this list (they are up now, right? I'm on a GPRS link, so I'm not going over to check), you'll see that you're not supposed to be running the bf2.4 kernel, you were supposed to go for a CPU-specific kernel shortly after installation. I must admit that I never saw anything about going for a CPU-specific kernel from the stuff I read when installing... But when I first did it, a friend of mine was telling me come on, you want your own kernel, own kernels are cool, go for it. So I did... To the rest of the folks here: Do the installation guide (or the installer dialog) tell you to change the kernel? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? AFA I've understood, the idea is that you shouldn't have the bf2.4 variant shortly after installation. I might be wrong, but I got the impression they were not going to be patched. I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Yeah, I know how that feels... I've got difficulties physically getting to my main server too. It's a box I had donated, it runs excellently when it is up, but I often have to boot it several times to get it running. Upgrading a kernel implies a reboot (I think), so that's really scary. However, I think you have no option but to plunge into it... It was mentioned here a couple of days ago that there are certain differences between the bf2.4 kernel and the CPU-specific kernels in that in the latter some things are compiled as modules, rather than into the kernel. ne2k ethernet cards were mentioned specifically. So, there you may have a hint about why you haven't any of the other kernels working with your network. Loading the modules might fix the problem. I'm certainly not qualified to help you further here, but it is a track you can pursue. Start with once you get physical access to first, of course... :-) Best, Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
- Original Message - From: Eric D Nielsen [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Thursday, December 04, 2003 7:48 PM Subject: Upgrading Kernels... I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. I've seen several of the security annoucements concerning new/patched versions of several of the Linux kernels, but I'm seldom sure if it applies to me. apt-get update; apt-get upgrade normally do not find any packages. (I have the security server in the source list.) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Please advise. Thank you. Eric Nielsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Hi It seems at kernel-image-2.4.18-bf2.4 and kernel-image-2.4.18-1-686 are patched. and i belive all of stock kernels are patched. bf2.4 variant published i remembered at 2.12.03. Traditionally Debian apt-get update/upgrade can't upgrade kernel. This is'nt always true. May be you should tray apt-get install kernel-image-2.4.18.bf2.4 if kernel is older this will install new kernel over your existing on. hope this help Riku
Re: Upgrading Kernels...
On Thursday 04 December 2003 18:48, Eric D Nielsen wrote: I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. OK. I'm a rather new user myself, but to ease the workload on the security team, who allready have their hands ful, I'll attempt an answer, but I basically just reiterate what I've heard here... :-) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? Yep. If you check the recent archives of this list (they are up now, right? I'm on a GPRS link, so I'm not going over to check), you'll see that you're not supposed to be running the bf2.4 kernel, you were supposed to go for a CPU-specific kernel shortly after installation. I must admit that I never saw anything about going for a CPU-specific kernel from the stuff I read when installing... But when I first did it, a friend of mine was telling me come on, you want your own kernel, own kernels are cool, go for it. So I did... To the rest of the folks here: Do the installation guide (or the installer dialog) tell you to change the kernel? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? AFA I've understood, the idea is that you shouldn't have the bf2.4 variant shortly after installation. I might be wrong, but I got the impression they were not going to be patched. I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Yeah, I know how that feels... I've got difficulties physically getting to my main server too. It's a box I had donated, it runs excellently when it is up, but I often have to boot it several times to get it running. Upgrading a kernel implies a reboot (I think), so that's really scary. However, I think you have no option but to plunge into it... It was mentioned here a couple of days ago that there are certain differences between the bf2.4 kernel and the CPU-specific kernels in that in the latter some things are compiled as modules, rather than into the kernel. ne2k ethernet cards were mentioned specifically. So, there you may have a hint about why you haven't any of the other kernels working with your network. Loading the modules might fix the problem. I'm certainly not qualified to help you further here, but it is a track you can pursue. Start with once you get physical access to first, of course... :-) Best, Kjetil
Re: Upgrading Kernels...
- Original Message - From: Eric D Nielsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 04, 2003 7:48 PM Subject: Upgrading Kernels... I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. I've seen several of the security annoucements concerning new/patched versions of several of the Linux kernels, but I'm seldom sure if it applies to me. apt-get update; apt-get upgrade normally do not find any packages. (I have the security server in the source list.) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Please advise. Thank you. Eric Nielsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Hi It seems at kernel-image-2.4.18-bf2.4 and kernel-image-2.4.18-1-686 are patched. and i belive all of stock kernels are patched. bf2.4 variant published i remembered at 2.12.03. Traditionally Debian apt-get update/upgrade can't upgrade kernel. This is'nt always true. May be you should tray apt-get install kernel-image-2.4.18.bf2.4 if kernel is older this will install new kernel over your existing on. hope this help Riku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
