Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
On Wed, Mar 10, 2010 at 04:09:48PM -0500, Daniel Kahn Gillmor wrote:
> On 03/10/2010 02:49 PM, dann frazier wrote:
> > On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote:
> >> It's not clear to me from the instructions above whether users should
> >> re-build their kvm modules package as well as installing the revised
> >> versions.
> >> Is the vulnerability fully-resolved by simply upgrading the kvm package?
> >> (i really don't know, and figure y'all are the right folks to ask).
> > If you've never built/installed modules from the kvm-source package,
> > this advisory does not apply to you. If you have - you will need to
> > update your kernel-source package and rebuild/reload those modules.
> So i have a lenny system, running 2.6.26-2-amd64. When it was running
> 2.6.26-1-amd64, i built and installed modules from the kvm_source. but
> when i upgraded to 2.6.26-2-amd64, i didn't bother to build new modules,
> and just went with the kvm modules shipped in the stock
> linux-image-2.6.26-2-amd64 package.
> A literal reading of your response above makes me think i need to do
> rebuild for that system, but if i'm actually understanding you, it
> sounds like i *don't* need to do a module rebuild. argh.
Yeah, in that case, you do not need to rebuild.
Basically, if you have kvm-modules-$(uname -r) installed, you need to
upgrade/rebuild. If you don't, then you don't.
> sorry if this line of questioning is annoying or frustrating. i'm not
> trying to be obnoxious or pedantic, i'm trying to make sure i actually
> understand the issue.
> >> I note that there are kvm modules shipped with the default stable
> >> kernel.
> > Yes, these issues are being tracked there as well (3/4 are already
> > fixed in the latest stable update)
> Nice, thanks for the info. So would the 4th be fixed if i went ahead
> and rebuilt from the kvm_source package referenced by DSA-2010-1?