[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities

On 2008-12-13, Marcin Owsiany <porridge@debian.org> wrote:
> On Fri, Dec 12, 2008 at 11:37:35AM -0700, dann frazier wrote:
>> On Fri, Dec 12, 2008 at 08:53:43AM +0000, Marcin Owsiany wrote:
>> > On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote:
>> > > On Thu, Dec 11, 2008 at 06:49:59PM +0000, Dominic Hargreaves wrote:
>> > > > On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote:
>> > > > > Yes - 2.6.18 is in stable, and as such will be security supported for
>> > > > > at least another year. Minor/local DoS security issues in the kernel
>> > > > > are very frequent, so updated packages are constantly in
>> > > > > preparation. Preparing kernel updates is resource intensive so, unless
>> > > > > there's a severe issue, etch users should expect 2.6.18 and 2.6.24
>> > > > > updates to be staggered.
>> > > > 
>> > > > Yup, that's pretty much what I expected to hear; thanks for confirming.
>> > > > 
>> > > > May I make a suggestion that you include a comment along these lines in
>> > > > the advisory texts? It would help reassure users that things haven't been
>> > > > forgotten about greatly.
>> > > 
>> > > Yes, this has been a FAQ since the release of etchnhalf. I'll see
>> > > about adding something to the text template. Does this look ok?
>> > > 
>> > >   Debian 'etch' includes linux kernel packages based upon both the
>> > >   2.6.18 and 2.6.24 linux releases.  All known security issues are
>> > >   carefully tracked against both packages and both packages will
>> > >   receive security updates until security support for Debian 'etch'
>> > >   ceases. However, given the high frequency at which low-severity
>> > >   security issues are discovered in the kernel and the resource
>> > >   requirements of doing an update, non-critical 2.6.18 and 2.6.24
>> > >   updates will typically release in a staggered or "leap-frog"
>> > >   fashion.
>> > 
>> > I'd suggest you add something more explicit, maybe:
>> > 
>> >     [fashion], that is when higher-severity issues are fixed.
>> > 
>> > or something similar.
>> 
>> Well, I don't think that's what I mean. High-severity fixes will
>> release as soon as possible - likely simultaneously.
>
> Well, that is what I meant as well, but my English is apparently not
> good enough to express it. I think there is a single fact that the
> reader should get from this:
>
> Low severity fixes often wait until there is a need for a high-severity fix.
>
> Does that sound better?

Not quite, in case of an emergency release such as the vmsplice issue (where
the exploit was posted in the wild) the low severity issues will rather
be postponed to a followup DSA.

Cheers,
        Moritz
Reply to: