Re: Kernel Security Updates for Sarge
- To: Martin Schulze <joey@infodrom.org>, Andres Salomon <dilinger@debian.org>, Steve Langasek <vorlon@debian.org>, Norbert Tretkowski <nobse@debian.org>, Thibaut VARENE <varenet@debian.org>, dann frazier <dannf@debian.org>, Bastian Blank <waldi@debian.org>, Rob Radez <rob@osinvestor.com>, Joshua Kwan <joshk@triplehelix.org>, Jurij Smakov <jurij@wooyd.org>, Frederik Schüler <fschueler@gmx.net>, Guido Guenther <agx@debian.org>, Karsten Merker <merker@debian.org>, Thiemo Seufer <ths@debian.org>, Sven Luther <luther@debian.org>, Kyle McMartin <kyle@debian.org>, "Christian T. Steigies" <cts@debian.org>, Ben Collins <bcollins@debian.org>, LaMont Jones <lamont@debian.org>, Bdale Garbee <bdale@debian.org>, Debian Kernel Team <debian-kernel@lists.debian.org>
- Subject: Re: Kernel Security Updates for Sarge
- From: Horms <horms@debian.org>
- Date: Fri, 13 May 2005 18:33:25 +0900
- Message-id: <[🔎] 20050513093323.GA16499@verge.net.au>
- Mail-followup-to: Martin Schulze <joey@infodrom.org>, Andres Salomon <dilinger@debian.org>, Steve Langasek <vorlon@debian.org>, Norbert Tretkowski <nobse@debian.org>, Thibaut VARENE <varenet@debian.org>, dann frazier <dannf@debian.org>, Bastian Blank <waldi@debian.org>, Rob Radez <rob@osinvestor.com>, Joshua Kwan <joshk@triplehelix.org>, Jurij Smakov <jurij@wooyd.org>, Frederik Schüler <fschueler@gmx.net>, Guido Guenther <agx@debian.org>, Karsten Merker <merker@debian.org>, Thiemo Seufer <ths@debian.org>, Sven Luther <luther@debian.org>, Kyle McMartin <kyle@debian.org>, "Christian T. Steigies" <cts@debian.org>, Ben Collins <bcollins@debian.org>, LaMont Jones <lamont@debian.org>, Bdale Garbee <bdale@debian.org>, Debian Kernel Team <debian-kernel@lists.debian.org>
- In-reply-to: <[🔎] 20050512070413.GA16342@debian.org>
- References: <[🔎] 20050512060848.GA12019@verge.net.au> <[🔎] 20050512070413.GA16342@debian.org>
Hi,
I have been working on this update issue and I am happy to report that
I have made good progress.
Firstly, to clarify, I am working on two sets of updates.
A testing-security update, which will only include security fixes.
And a testing-proposed-updates, which will include some other fixes as
well, basically what is currently in SVN. Today I have been working on
the fomer, I hope to get to the latter in the next couple of days.
In each case my primary task is to get kernel-source packages
ready for 2.6.8 and 2.4.27. And my secondary task is to make
binary images for i386 and powerpc. Other achitectures are built
by other members of the kernel team, or are not under
the auspices of the kernel team, I think I covered this pretty
thoroughly in my previous email.
testing-security:
I have made a testing-security/ directory in SVN.
Its the same layout as trunk/, albeit with a lot
of directories missing. I'd like to encourage
other architecture maintainers to put anything they
are working in regarding testing-security: in there too.
I have also made preliminary packages available at:
http://debian.vergenet.net/sarge-security/
In there you should find kernel-source packages for 2.4.27 and 2.6.8,
and kernel-image-i386 images for 2.6.8. I hope to add the
kernel-image-i386 images for 2.4.27 shortly (once they finish building).
And binary packages for powerpc over the weekend.
kernel-source-2.6.8 2.6.8-15sarge1
Most kernel-images in Sarge are based of 2.6.8-13, however some are
based of 2.6.8-15. As a result, there are some patches from 2.6.8-14 and
2.6.8-15 which are already included in some architectures, but not
others. Also, kernel-source 2.6.8-15 is actually in Sarge.
The citeria I used for patch inclusion was as follows:
* Security patch or
* Non-Security patch, that is specific to an acrhitecture
that is based off 2.6.8-15 or
* packaging related patch - that is it doesn't effect the kernel
images build from the code it contains, and is already
in sarge. e.g. Fixing a package description in the control file
This turned out to be quite simple, and you can see the resulting
annotated changelog here:
http://debian.vergenet.net/sarge-security/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-15sarge1_i386.changes
In fact, it turns out that I left 2.6.8-14 and 2.6.8-15 unchanged.
The only questionable patches are as follows. I'd like feedback
on what to do here. Keeping in mind that removing them
would be a regression if any of the architectures built against
2.6.8-15 use this code. In the case of the SCSI fix, that
seems a certainty. In the case of the ia64-ptrace fix,
I am not sure if this code is needed by subsequent security fixes
or not. The au88x0 case seems a bit more clear-cut, but
I am not sure what architectures compile this. In any case,
here is the list, they are currently all included:
* Backport more scsi-ioctl fixes: add CMD_WARNED, remove dulicate
safe_for_read(READ_BUFFER), add LOG_SENSE as read-ok and
LOG_SELECT as write-ok, quieten scsi ioctl when asking for
a lot of memory and failing. (Maximilian Attems)
* ia64-ptrace-speedup.dpatch
Backport needed to form a base on top of which ia64-ptrace-fixes will
apply. (dann frazier)
* au88x0-use-short-name.dpatch: Use CARD_SHORT_NAME in au88x0.c to allow
card-specific driver names (CARD_SHORT_NAME is redefined by each
driver.) (Joshua Kwan)
kernel-source-2.4.27 2.4.27-8sarge1
2.4.27 was more straightforward. I think all architectures
are bassed of 2.4.27-8 in sarge, and this is the version
of kernel-source in sarge. As a result, I just merged
the changes from 2.4.27-9 (unstable) and 2.4.27-10 (as yet unreleased
in SVN) and removed any non-security fixes. The resulting changelog
is:
http://debian.vergenet.net/sarge-security/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-8sarge1_i386.changes
testing-proposed-updates:
These are proposed packages for Sarge r1.
I anticipate there will be more security bugs and the like
found before we get there. But what we have is looking good
at this time, so it seems worth getting into testing-proposed-updates
and unstable. I don't see any reason for those two packages
to be any different at this time. The kernel source packages
will most likely be called kernel-source-2.4.27 2.4.27-10
and kernel-source-2.6.8 2.6.8-16.
Everthing for kernel-source for both 2.4.27 and 2.6.8 is currently in
svn under the trunk/ directory. Ditto for kernel-image-i386. I am still
wrestling with some issues with the kernel-headers package for 2.6.8 on
powerpc, but Sven Luther has a working fix and I am close, so that
should be in the bag pretty soon. I will try and get packages together
for all of these over the next few days.
Watch this space.
--
Horms
Reply to: