Re: [SECURITY] [DSA 1458-1] New openafs packages fix denial of service vulnerability
On Thu, 2008-01-10 at 23:37 -0500, Noah Meyerhans wrote:
> On Thu, Jan 10, 2008 at 11:25:07PM -0500, Thomas Bushnell BSG wrote:
> > > Except that the security flaw is in the fileserver, which does not
> > > involve the kernel module at all and runs fine even without it
> > > installed.
> > Surely. But then the security update shouldn't mention unaffected
> > packages!
> All binary packages built from a given source package are updated
> together. Yes, this is inefficient when many binary packages are built
> from a single source packages. We mention all the binary packages in
> the advisory because they're the versions that are going to be installed
> by apt* and people are going to want checksums, file sizes, etc. We
> don't have any sane mechanism for updating a subset of a source
> package's binary packages. Until we do (don't hold your breath) we will
> continue to provide all the information we're currently providing.
> Surely you must have wondered in the past why a DSA for xfree86 required
> you to install new fonts...
No, I was happy to think as you describe: that the assumption is that
all binary packages are updated together.
But I was just told that this is not actually the point. See, I noted
that the posted instructions would *fail* to actually update all the
binary packages together, and was told that this is not actually the
Perhaps instead of defensiveness, the real issue is this: installing
upgraded debian packages is not sufficient, in the presence of kernel
module source packages, to effect the necessary upgrades. Security
announcements should make this clear, and contain correct complete
instructions for whichever packages are mentioned.
If a security bug were found in the afs client-side package, which is
implemented as a kernel module, would the announcement not look just
like the one we saw for DSA 1458-1?