Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
From: Mikko Rapeli <mikko.rapeli@iki.fi>
Date: Tue, 27 Jun 2006 21:06:18 +0300
Message-id: <[🔎] 20060627180617.GD9625@nalle>
Mail-followup-to: Moritz Muehlenhoff <jmm@inutil.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] slrnea2mfb.55b.jmm@inutil.org>
References: <20060627050001.GA5247@galadriel.inutil.org> <[🔎] 20060627072809.GA9625@nalle> <[🔎] slrnea2mfb.55b.jmm@inutil.org>

On Tue, Jun 27, 2006 at 06:16:43PM +0200, Moritz Muehlenhoff wrote:
> Mikko Rapeli wrote:
> >>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha
> >>/kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb
> >                        ^         ^^^^^^
> >
> > 2.6.8-2 and sarge1? This and older kernel advisories contain URL's and 
> > md5sums for kernel binary packages which don't fix the mentioned 
> > vulnerabilities[1]. Is this a bug or am I missing something?
> 
> The Debian security host has been moved to a new machine and as the aftermath
> the md5sum template isn't sent out any more. So I had to fiddle this together
> manually and accidentally copied over the wrong file.

To err is human :)

> I'm including the correct ones for reference below, they'll be sent out officially
> signed once the amd64 build is processed.

Good. Source and arch indep packages are fine but arch binary lists stil have 
sarge1 entries dating back to Nov 2005 without fixes from DSA 1103-1.
The released fixes seem to add 'sarge[n+1]' version to updated source
packages which should propably be in the binary packages version part too.
Packages without the new version tag or an old 'sarge[n]' should not be
in a kernel DSA, I presume. Or you just copied the wrong list again:

<snip>
>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/
>kernel-headers-2.6.8-2_2.6.8-16sarge1_alpha.deb
                      ^         ^^^^^^
>       Size/MD5 checksum:  2757876 e94cdb8d12552d293018c7ca24199f47
>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-alpha/
>kernel-headers-2.6.8-2-generic_2.6.8-16sarge1_alpha.deb
                      ^                 ^^^^^^
<snip>
>     http://security.debian.org/pool/updates/main/k/kernel-image-2.6.8-i386/
>kernel-headers-2.6.8-2_2.6.8-16sarge1_i386.deb
                      ^         ^^^^^^
...

-Mikko

Reply to:

References:
- Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
  - From: Mikko Rapeli <mikko.rapeli@iki.fi>
- Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Next by Date: Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Previous by thread: Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Next by thread: Re: [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Index(es):
- Date
- Thread