Re: Linux 2.6 update for Etch
On Thu, Feb 18, 2010 at 09:50:43PM -0500, Michael Gilbert wrote:
> On Thu, 18 Feb 2010 14:53:14 +0200 Peter Pentchev wrote:
> > Hi,
> > First of all, apologies if this is sent to the wrong list, or if this
> > information is already available somewhere; also, I'm aware that
> > security support for Debian Etch ended a couple of days ago.
> > In the recent DSA-1996-1 for the linux-2.6 package vulnerabilities,
> > there was the following sentence:
> > For the oldstable distribution (etch), these problems, where
> > applicable, will be fixed in updates to linux-2.6 and linux-2.6.24.
> > Now, since we several servers that we are currently in the process of
> > migrating to Lenny, but the migration will not be complete for at
> > least several more weeks (and yes, I know this is our own fault :),
> > I'd just like to ask if there's any timeframe on when the Etch
> > updates for the linux-2.6 package shall be released - without meaning
> > to hurry anybody or to be pushy or something; I'm quite aware of
> > all the work that goes into maintaining security updates across
> > multiple versions of multiple packages on ooooold distributions,
> > and the security team has my sincere thanks and condolences for all
> > the work they have to do so we can sleep soundly :)
> > Or maybe I'm missing something and the Etch update has already been
> > released? But the only updated package I can see at
> > http://security.debian.org/pool/updates/main/l/ is the "latest" one -
> > linux-latest-2.6_6etch3; but from what I can see, it builds
> > the linux-image-2.6-amd64_2.6.18+6etch3 package, which just depends on
> > linux-image-2.6.18-6-amd64 (the actual kernel), and the actual kernel
> > at http://security.debian.org/pool/updates/main/l/linux-2.6/ seems
> > to still be at version 2.6.18.dfsg.1-26etch1 from November 5, 2009.
> > Am I missing something, or is it just a question of manpower and time?
> > If the latter, sorry if this mail comes through as pushy - it's really
> > not meant to be!
> > Again, thanks to the security team for all their hard work!
> > Please CC me on replies, since I'm not subscribed to this list.
> you didn't miss anything. the update is in the works, and will be
> released with the next etch point release (as seen in some other mailing
> list; which one, i don't remember). the release team would be a better
> place to ask about when that is going to happen, but if they haven't
> announced anything publicly yet, then they probably have yet to set a
The plan is to release both via the normal DSA process which will, as
Mike mentioned, then become queued for the next point release. I'd
suggest just watching for debian-security-announce for an update. If
you want to see what will be fixed, I'd suggest taking a look at the
current changelogs in svn:
If you are interested in a specific CVE, you can look it up here: