Re: [SECURITY] [DSA 1017-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
On 03/23/2006 04:58 PM, Moritz Muehlenhoff wrote:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 1017-1 security@debian.org
> http://www.debian.org/security/ Dann Frazier, Simon Horman
> March 23th, 2006 http://www.debian.org/security/faq
> --------------------------------------------------------------------------
>
> Package : kernel-source-2.6.8
> Vulnerability : several
> Problem-Type : local/remote
> Debian-specific: no
> CVE ID : CVE-2004-1017 CVE-2005-0124 CVE-2005-0449 CVE-2005-2457 CVE-2005-2490 CVE-2005-2555 CVE-2005-2709 CVE-2005-2800 CVE-2005-2973 CVE-2005-3044 CVE-2005-3053 CVE-2005-3055 CVE-2005-3180 CVE-2005-3181 CVE-2005-3257 CVE-2005-3356 CVE-2005-3358 CVE-2005-3783 CVE-2005-3784 CVE-2005-3806 CVE-2005-3847 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4605 CVE-2005-4618 CVE-2006-0095 CVE-2006-0096 CVE-2006-0482 CVE-2006-1066
> Debian Bug : 295949 334113 330287 332587 332596 330343 330353 327416
>
> Several local and remote vulnerabilities have been discovered in the Linux
> kernel that may lead to a denial of service or the execution of arbitrary
> code. The Common Vulnerabilities and Exposures project identifies the
> following problems:
[snip]
> The following matrix explains which kernel version for which architecture
> fix the problems mentioned above:
>
> Debian 3.1 (sarge)
> Source 2.6.8-16sarge2
> Alpha architecture 2.6.8-16sarge2
> AMD64 architecture 2.6.8-16sarge2
> HP Precision architecture 2.6.8-6sarge2
> Intel IA-32 architecture 2.6.8-16sarge2
> Intel IA-64 architecture 2.6.8-14sarge2
> Motorola 680x0 architecture 2.6.8-4sarge2
> PowerPC architecture 2.6.8-12sarge2
> IBM S/390 architecture 2.6.8-5sarge2
> Sun Sparc architecture 2.6.8-15sarge2
>
> The following matrix lists additional packages that were rebuilt for
> compatability with or to take advantage of this update:
>
> Debian 3.1 (sarge)
> kernel-latest-2.6-alpha 101sarge1
> kernel-latest-2.6-amd64 103sarge1
> kernel-latest-2.6-hppa 2.6.8-1sarge1
> kernel-latest-2.6-sparc 101sarge1
> kernel-latest-2.6-i386 101sarge1
> kernel-latest-powerpc 102sarge1
> fai-kernels 1.9.1sarge1
> hostap-modules-i386 0.3.7-1sarge1
> mol-modules-2.6.8 0.9.70+2.6.8+12sarge1
> ndiswrapper-modules-i386 1.1-2sarge1
>
> We recommend that you upgrade your kernel package immediately and reboot
> the machine. If you have built a custom kernel from the kernel source
> package, you will need to rebuild to take advantage of these fixes.
>
> This update introduces a change in the kernel's binary interface, the affected
> kernel packages inside Debian have been rebuilt, if you're running local addons
> you'll need to rebuild these as well.
>
> Upgrade Instructions
[snip]
Possible problem with automatic upgrades:
========================================
aptitude update/upgrade did not automatically install the security
update for my sarge systems.
I had to manually install kernel-image-2.6-686, otherwise no upgrade was
initiated. The usual warning to reboot the system was also missing.
If I did not subscribe to debian-security-announce, I never would have
known that aptitude update/upgrade would /miss/ this important security
upgrade.
My systems were installed from sarge ISO and net-installed:
ls -l /var/log/debian-installer/messages
-rw-r--r-- 1 root root 38K 2006-01-04 16:19
/var/log/debian-installer/messages
grep kernel-image-2.6 /var/log/debian-installer/messages
kernel-image-2.6.8-2-686 module-init-tools
Selecting previously deselected package kernel-image-2.6.8-2-686.
Unpacking kernel-image-2.6.8-2-686 (from
.../kernel-image-2.6.8-2-686_2.6.8-16_i386.deb) ...
Setting up kernel-image-2.6.8-2-686 (2.6.8-16) ...
So... kernel-image-2.6-686 was never installed until I manually
installed it just now.
Please consider that other users who do not subscribe to
debian-security-announce may be unprotected by relying on aptitude or
apt-get upgrades for security upgrades, if my experience is not unusual.
Thank you and regards,
Ralph
Reply to: