Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
From: dann frazier <dannf@debian.org>
Date: Fri, 12 Dec 2008 11:37:35 -0700
Message-id: <[🔎] 20081212183734.GB31400@colo.lackof.org>
In-reply-to: <[🔎] 20081212085343.GA3369@beczulka>
References: <20081204175911.GG14564@ldl.fc.hp.com> <[🔎] 20081211170652.GG1531@urchin.earth.li> <[🔎] 20081211183828.GA11905@colo.lackof.org> <[🔎] 20081211184959.GH1531@urchin.earth.li> <[🔎] 20081211191104.GB11905@colo.lackof.org> <[🔎] 20081212085343.GA3369@beczulka>

On Fri, Dec 12, 2008 at 08:53:43AM +0000, Marcin Owsiany wrote:
> On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote:
> > On Thu, Dec 11, 2008 at 06:49:59PM +0000, Dominic Hargreaves wrote:
> > > On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote:
> > > > Yes - 2.6.18 is in stable, and as such will be security supported for
> > > > at least another year. Minor/local DoS security issues in the kernel
> > > > are very frequent, so updated packages are constantly in
> > > > preparation. Preparing kernel updates is resource intensive so, unless
> > > > there's a severe issue, etch users should expect 2.6.18 and 2.6.24
> > > > updates to be staggered.
> > > 
> > > Yup, that's pretty much what I expected to hear; thanks for confirming.
> > > 
> > > May I make a suggestion that you include a comment along these lines in
> > > the advisory texts? It would help reassure users that things haven't been
> > > forgotten about greatly.
> > 
> > Yes, this has been a FAQ since the release of etchnhalf. I'll see
> > about adding something to the text template. Does this look ok?
> > 
> >   Debian 'etch' includes linux kernel packages based upon both the
> >   2.6.18 and 2.6.24 linux releases.  All known security issues are
> >   carefully tracked against both packages and both packages will
> >   receive security updates until security support for Debian 'etch'
> >   ceases. However, given the high frequency at which low-severity
> >   security issues are discovered in the kernel and the resource
> >   requirements of doing an update, non-critical 2.6.18 and 2.6.24
> >   updates will typically release in a staggered or "leap-frog"
> >   fashion.
> 
> I'd suggest you add something more explicit, maybe:
> 
>     [fashion], that is when higher-severity issues are fixed.
> 
> or something similar.

Well, I don't think that's what I mean. High-severity fixes will
release as soon as possible - likely simultaneously.

-- 
dann frazier

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: Marcin Owsiany <porridge@debian.org>

References:
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: Dominic Hargreaves <dom@earth.li>
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: dann frazier <dannf@dannf.org>
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: Dominic Hargreaves <dom@earth.li>
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: dann frazier <dannf@dannf.org>
- Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
  - From: Marcin Owsiany <porridge@debian.org>

Prev by Date: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Next by Date: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Previous by thread: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Next by thread: Re: [SECURITY] [DSA 1681-1] New Linux 2.6.24 packages fix several vulnerabilities
Index(es):
- Date
- Thread