All linux-image-2.6-* packages in Etch/4.0 vulnurable?

To: debian-user@lists.debian.org
Subject: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
From: Marcus Blumhagen <marcus.blumhagen@web.de>
Date: Fri, 17 Aug 2007 07:15:10 +0200
Message-id: <[🔎] E1ILuAx-00073p-00@smtp06.web.de>
Mail-followup-to: debian-user@lists.debian.org

-- Please CC me, when replying, since I'm not subscribed to the list.

Hello,

According to DSA-1356-1 [1] there are security updates available for
all linux-image-2.6.18* packages in Etch. One needs to upgrade to
versions named linux-image-2.6.18-5* to benefit from the update.

Now I noticed that on my box the actual update was not installed
automatically by 'aptitude dist-upgrade' and I am still running
linux-image-2.6.18-4-k7. That package was installed automatically
because I installed linux-image-k7 which depends on linux-image-2.6-k7
which then depends on the actual linux-image-2.6.18-4-k7 package.

According to the descriptions of linux-image-* and
linux-image-2.6-*, these depend on the _latest_ "binary image for
Linux kernel". But linux-image-2.6-* still depends on
linux-image-2.6.18-4-*.

IMHO something is really wrong with that. Obviously it is related to
the jump from linux-image-2.6.18-4* to linux-image-2.6.18-5*. I am not
really familiar with the Debian versioning system, but up until the
update before DSA-1356-1, the only thing that changed due to a
security update to the kernel package was the version number but not
the package name.

Packages I found depending on the wrong kernel version:

	linux-image-2.6-xen-686, linux-image-2.6-xen-vserver-686,
	linux-image-2.6-486, linux-image-2.6-686,
	linux-image-2.6-686-bigmem, linux-image-2.6-amd64,
	linux-image-2.6-k7, linux-image-2.6-vserver-686,
	linux-image-2.6-vserver-k7

according apt-cache on my machine.

Looking a bit closer I can see no way how I or any other Debian user
could get the update automatically, since no package that could have
been installed before DSA-1356-1 depends on those new ones. So anybody
not regularly checking the security site or not subscribed to the
security-announce list will miss those security fixes.

Any comments and clarifications will be much appreciated.

[1] http://www.debian.org/security/2007/dsa-1356

Regards
-- 
Marcus Blumhagen

"Any intelligent fool can make things bigger, more complex, and more
violent. It takes a touch of genius -- and a lot of courage -- to move
in the opposite direction."
                                                      -- Albert Einstein

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
  - From: Jochen Schulz <ml@well-adjusted.de>

Prev by Date: Re: How to create local mirror using dvd images
Next by Date: Re: Organising MP3 Files into folders
Previous by thread: Re: font size changed recently...why?
Next by thread: Re: All linux-image-2.6-* packages in Etch/4.0 vulnurable?
Index(es):
- Date
- Thread