On Thu, Sep 08, 2005 at 09:17:25PM -0500, Micah Anderson wrote: > Hi, > > I think it would be a good idea to get a DTSA (Debian Testing Security > Advisory) issued for 2.4.27 and 2.6.8. > > 2.4.27-11 is already in testing, but the number of security bugs fixed in > this version is significant: there are 9 CAN numbers for 2.4.27-11[1]; and 4 > other security patches that do not have CVE entries[2]. It seems that it > would be a good idea to do an advisory to alert people that these security > holes have been fixed and that they need to upgrade and reboot if they > haven't already > > 2.6.8 is scheduled to be removed from sid, and consequentially in testing as > well, however it may be good to do an advisory to alert those who are > running 2.6.8 to upgrade to linux-2.6 (2.6.12) as the kernel they are > running is not being supported (and the transition is not super obvious) and > the number of security holes for the version in testing (2.6.8-16) adds up > to a whopping 13 CAN numbers[3] and 21 other security patches[4]. > > Neither of these advisories is a typical DTSA, as we normally we only do > advisories for things that are blocked from reaching testing by some other > issue, but I think that it would be good to do these two advisories because > of the sheer number of security holes fixed as well as the necessary upgrade > path that people need to take if they wish to maintain the integrity of > their machines. > > I have begun the work to prepare this advisory for release, we basically > need 2.6.8 to leave the archvie and the 2.6.12 packages to enter testing > before the 2.6.8 DTSA can be released. The DTSA would just list the normal > testing repositories for the upgrade (rather than the secure-testing > repositories). > > > Micah > > 1. CAN-2005-2458, CAN-2005-2459, CAN-2005-1767, CAN-2005-2456, > CAN-2005-1768, CAN-2005-0756 CAN-2005-0757, CAN-2005-1762, CAN-2005-1768 > > 2. 184_arch-x86_64-ia32-ptrace32-oops.diff, > 174_net-ipv4-netfilter-nat-mem.diff, 178_fs_ext2_ext3_xattr-sharing.diff, > 179_net-ipv4-netfilter-ip_recent-last_pkts.diff > > 3. CAN-2005-1763, CAN-2005-1762, CAN-2005-0756, CAN-2005-1265, CAN-2005-0757, > CAN-2005-1765, CAN-2005-1761, CAN-2005-2456, CAN-2005-2548, CAN-2004-2302, > CAN-2005-1767, CAN-2005-2458, CAN-2005-2459 > > 4. mckinley_icache.dpatch, arch-x86_64-kernel-smp-boot-race.dpatch, > arch-x86_64-mm-ioremap-page-lookup.dpatch, > fs-exec-ptrace-core-exec-race.dpatch, fs-exec-ptrace-deadlock.dpatch, > fs-exec-posix-timers-leak-1.dpatch, fs-exec-posix-timers-leak-2.dpatch, > fs-hfs-oops-and-leak.dpatch, net-bridge-netfilter-etables-smp-race.dpatch, > net-bridge-forwarding-poison-2.dpatch, net-rose-ndigis-verify.dpatch, > sound-usb-usbaudio-unplug-oops.dpatch, net-ipv4-ipvs-conn_tab-race.dpatch, > arch-ia64-ptrace-getregs-putregs.dpatch, ppc32-time_offset-misuse.dpatch, > netfilter-NAT-memory-corruption.dpatch, > netfilter-ip_conntrack_untracked-refcount.dpatch, > sys_get_thread_area-leak.dpatch, fs_ext2_ext3_xattr-sharing.dpatch, > net-ipv4-netfilter-ip_recent-last_pkts.dpatch, > arch-x86_64-mm-ioremap-page-lookup-fix.dpatch
That seems fine to me, at a glance. Though there have been some aditional bugs fixed in SVN. I have added the relevant patches to all trees that were effected, though as only 2.4.27 and 2.6.12 are reevant to this discussion. It might be a good time to spin 2.4.27-12 and get that into unstable. And linux-2.6 2.6.12-6, which was released earleier this week, should be up to date. I've also added [EMAIL PROTECTED], as I would like to keep them in the loop with regards to security activity. -- Horms _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
