[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities

On Tue, Jun 27, 2006 at 06:16:43PM +0200, Moritz Muehlenhoff wrote:
> Mikko Rapeli wrote:
> >>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha
> >>/kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb
> >                        ^         ^^^^^^
> >
> > 2.6.8-2 and sarge1? This and older kernel advisories contain URL's and 
> > md5sums for kernel binary packages which don't fix the mentioned 
> > vulnerabilities[1]. Is this a bug or am I missing something?
> The Debian security host has been moved to a new machine and as the aftermath
> the md5sum template isn't sent out any more. So I had to fiddle this together
> manually and accidentally copied over the wrong file.

To err is human :)

> I'm including the correct ones for reference below, they'll be sent out officially
> signed once the amd64 build is processed.

Good. Source and arch indep packages are fine but arch binary lists stil have 
sarge1 entries dating back to Nov 2005 without fixes from DSA 1103-1.
The released fixes seem to add 'sarge[n+1]' version to updated source
packages which should propably be in the binary packages version part too.
Packages without the new version tag or an old 'sarge[n]' should not be
in a kernel DSA, I presume. Or you just copied the wrong list again:

>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/
                      ^         ^^^^^^
>       Size/MD5 checksum:  2757876 e94cdb8d12552d293018c7ca24199f47
>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/
                      ^                 ^^^^^^
>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/
                      ^         ^^^^^^


Reply to: