[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Woody Stable Kernel



Andreas Janssen wrote:
> Stephane wrote:
> > OK this sounds good to me. But I'm wondering something else now: the
> > ptrace exploit was a severe security flaw, so how comes my 2.4.18bf2.4
> > does not get upgraded when I apt-get update with the security source
> > in my source-list ? 

Good question.  It should.  What does apt-cache policy say for your
kernel?

  apt-cache policy kernel-image-2.4.18-bf2.4

However I am guessing that it is not suggesting that you update since
I will guess that you already have the newer kernel installed and
therefore already have the security fix.

> Because the package management does not know of the install kernel.

Negative.  The package management system *does* know about your
installed kernel.  And in this case of running the bf24 kernel you
should be getting an update for it if you are running an older version
of it.  Note that if you are running a tuned kernel then you won't,
however.

  apt-cache policy kernel-image-2.4.18-bf2.4
  kernel-image-2.4.18-bf2.4:
    Installed: (none)
    Candidate: 2.4.18-5woody4
    Version Table:
       2.4.18-5woody4 0
          500 http://security.debian.org stable/updates/main Packages
       2.4.18-5 0
          500 http://http.us.debian.org stable/main Packages

If you are running the kernel-image-2.4.18-bf2.4 as your kernel
version 2.4.18-5 from the woody release then an apt-get upgrade should
want to upgrade you to version 2.4.18-5woody4 from the security
archive.

> Because normally you would instead install some kernel image built for
> your architecture after installing the base system.

I would say normally as well since I always install a tuned kernel for
my system.  It is normal for me anyway.  But I see and hear of a lot
of people that are still running the original bootstrapping kernel.  I
dare say that is not as unusual as it seems.  [I think it is a
disservice to the users for the installer to be leaving the system
with an untuned kernel.  It makes the first upgrade more difficult
than it should be for them.  Of course after that future kernel
upgrades are easy again.  But that is another story.]

If you have installed a tuned kernel then you won't be get a prompt
from 'apt-get upgrade'.  DSA-311-1 and others provide the answer.

  If you are using the kernel installed by the installation system when
  the "bf24" option is selected (for a 2.4.x kernel), you should install
  the kernel-image-2.4.18-bf2.4 package.  If you installed a different  
  kernel-image package after installation, you should install the
  corresponding 2.4.18-1 kernel.  You may use the table below as a
  guide.

  | If "uname -r" shows: | Install this package:
  - ------------------------------------------------------
  | 2.4.18-bf2.4         | kernel-image-2.4.18-bf2.4
  | 2.4.18-386           | kernel-image-2.4.18-1-386
  | 2.4.18-586tsc        | kernel-image-2.4.18-1-586tsc
  | 2.4.18-686           | kernel-image-2.4.18-1-686
  | 2.4.18-686-smp       | kernel-image-2.4.18-1-686-smp
  | 2.4.18-k6            | kernel-image-2.4.18-1-k6
  | 2.4.18-k7            | kernel-image-2.4.18-1-k7

  NOTE: that this kernel is not binary compatible with the previous  
  version.  For this reason, the kernel has a different version number
  and will not be installed automatically as part of the normal upgrade 
  process.  Any custom modules will need to be rebuilt in order to work
  with the new kernel.  New PCMCIA modules are provided for all of the
  above kernels.

Since the tuned kernels were not binary compatible they will not be
automatically updating your system.  But you should seek out those
updates and manually select the appropriate kernel and upgrade.

Hope that helps.

Bob

Attachment: pgpEIW1oI_mzc.pgp
Description: PGP signature


Reply to: