Re: Linux 2.6 update for Etch

To: debian-security@lists.debian.org
Subject: Re: Linux 2.6 update for Etch
From: dann frazier <dannf@dannf.org>
Date: Fri, 19 Feb 2010 08:39:56 -0700
Message-id: <20100219153956.GA2575@lackof.org>
In-reply-to: <20100218215043.ac95e422.michael.s.gilbert@gmail.com>
References: <20100218125314.GA11434@straylight.m.ringlet.net> <20100218215043.ac95e422.michael.s.gilbert@gmail.com>

On Thu, Feb 18, 2010 at 09:50:43PM -0500, Michael Gilbert wrote:
> On Thu, 18 Feb 2010 14:53:14 +0200 Peter Pentchev wrote:
> 
> > Hi,
> > 
> > First of all, apologies if this is sent to the wrong list, or if this
> > information is already available somewhere; also, I'm aware that
> > security support for Debian Etch ended a couple of days ago.
> > 
> > In the recent DSA-1996-1 for the linux-2.6 package vulnerabilities,
> > there was the following sentence:
> > 
> >   For the oldstable distribution (etch), these problems, where
> >   applicable, will be fixed in updates to linux-2.6 and linux-2.6.24.
> > 
> > Now, since we several servers that we are currently in the process of
> > migrating to Lenny, but the migration will not be complete for at
> > least several more weeks (and yes, I know this is our own fault :),
> > I'd just like to ask if there's any timeframe on when the Etch
> > updates for the linux-2.6 package shall be released - without meaning
> > to hurry anybody or to be pushy or something; I'm quite aware of
> > all the work that goes into maintaining security updates across
> > multiple versions of multiple packages on ooooold distributions,
> > and the security team has my sincere thanks and condolences for all
> > the work they have to do so we can sleep soundly :)
> > 
> > Or maybe I'm missing something and the Etch update has already been
> > released?  But the only updated package I can see at
> > http://security.debian.org/pool/updates/main/l/ is the "latest" one -
> > linux-latest-2.6_6etch3; but from what I can see, it builds
> > the linux-image-2.6-amd64_2.6.18+6etch3 package, which just depends on
> > linux-image-2.6.18-6-amd64 (the actual kernel), and the actual kernel
> > at http://security.debian.org/pool/updates/main/l/linux-2.6/ seems
> > to still be at version 2.6.18.dfsg.1-26etch1 from November 5, 2009.
> > 
> > Am I missing something, or is it just a question of manpower and time?
> > If the latter, sorry if this mail comes through as pushy - it's really
> > not meant to be!
> > 
> > Again, thanks to the security team for all their hard work!
> > Please CC me on replies, since I'm not subscribed to this list.
> 
> you didn't miss anything.  the update is in the works, and will be
> released with the next etch point release (as seen in some other mailing
> list; which one, i don't remember). the release team would be a better
> place to ask about when that is going to happen, but if they haven't
> announced anything publicly yet, then they probably have yet to set a
> date.

The plan is to release both via the normal DSA process which will, as
Mike mentioned, then become queued for the next point release. I'd
suggest just watching for debian-security-announce for an update. If
you want to see what will be fixed, I'd suggest taking a look at the
current changelogs in svn:

  http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/changelog
  http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6.24/debian/changelog

If you are interested in a specific CVE, you can look it up here:
  http://svn.debian.org/wsvn/kernel-sec

-- 
dann frazier

Reply to:

References:
- Linux 2.6 update for Etch
  - From: Peter Pentchev <roam@ringlet.net>
- Re: Linux 2.6 update for Etch
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: Linux 2.6 update for Etch
Next by Date: squirrelmail package in lenny
Previous by thread: Re: Linux 2.6 update for Etch
Next by thread: www.debian.org/security/ does not know about kernel update??
Index(es):
- Date
- Thread