On 03/23/2006 04:58 PM, Moritz Muehlenhoff wrote: > -------------------------------------------------------------------------- > Debian Security Advisory DSA 1017-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Dann Frazier, Simon Horman > March 23th, 2006 http://www.debian.org/security/faq > -------------------------------------------------------------------------- > > Package : kernel-source-2.6.8 > Vulnerability : several > Problem-Type : local/remote > Debian-specific: no > CVE ID : CVE-2004-1017 CVE-2005-0124 CVE-2005-0449 CVE-2005-2457 > CVE-2005-2490 CVE-2005-2555 CVE-2005-2709 CVE-2005-2800 CVE-2005-2973 > CVE-2005-3044 CVE-2005-3053 CVE-2005-3055 CVE-2005-3180 CVE-2005-3181 > CVE-2005-3257 CVE-2005-3356 CVE-2005-3358 CVE-2005-3783 CVE-2005-3784 > CVE-2005-3806 CVE-2005-3847 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 > CVE-2005-4605 CVE-2005-4618 CVE-2006-0095 CVE-2006-0096 CVE-2006-0482 > CVE-2006-1066 > Debian Bug : 295949 334113 330287 332587 332596 330343 330353 327416 > > Several local and remote vulnerabilities have been discovered in the Linux > kernel that may lead to a denial of service or the execution of arbitrary > code. The Common Vulnerabilities and Exposures project identifies the > following problems:
[snip] > The following matrix explains which kernel version for which architecture > fix the problems mentioned above: > > Debian 3.1 (sarge) > Source 2.6.8-16sarge2 > Alpha architecture 2.6.8-16sarge2 > AMD64 architecture 2.6.8-16sarge2 > HP Precision architecture 2.6.8-6sarge2 > Intel IA-32 architecture 2.6.8-16sarge2 > Intel IA-64 architecture 2.6.8-14sarge2 > Motorola 680x0 architecture 2.6.8-4sarge2 > PowerPC architecture 2.6.8-12sarge2 > IBM S/390 architecture 2.6.8-5sarge2 > Sun Sparc architecture 2.6.8-15sarge2 > > The following matrix lists additional packages that were rebuilt for > compatability with or to take advantage of this update: > > Debian 3.1 (sarge) > kernel-latest-2.6-alpha 101sarge1 > kernel-latest-2.6-amd64 103sarge1 > kernel-latest-2.6-hppa 2.6.8-1sarge1 > kernel-latest-2.6-sparc 101sarge1 > kernel-latest-2.6-i386 101sarge1 > kernel-latest-powerpc 102sarge1 > fai-kernels 1.9.1sarge1 > hostap-modules-i386 0.3.7-1sarge1 > mol-modules-2.6.8 0.9.70+2.6.8+12sarge1 > ndiswrapper-modules-i386 1.1-2sarge1 > > We recommend that you upgrade your kernel package immediately and reboot > the machine. If you have built a custom kernel from the kernel source > package, you will need to rebuild to take advantage of these fixes. > > This update introduces a change in the kernel's binary interface, the affected > kernel packages inside Debian have been rebuilt, if you're running local > addons > you'll need to rebuild these as well. > > Upgrade Instructions [snip] Possible problem with automatic upgrades: ======================================== aptitude update/upgrade did not automatically install the security update for my sarge systems. I had to manually install kernel-image-2.6-686, otherwise no upgrade was initiated. The usual warning to reboot the system was also missing. If I did not subscribe to debian-security-announce, I never would have known that aptitude update/upgrade would /miss/ this important security upgrade. My systems were installed from sarge ISO and net-installed: ls -l /var/log/debian-installer/messages -rw-r--r-- 1 root root 38K 2006-01-04 16:19 /var/log/debian-installer/messages grep kernel-image-2.6 /var/log/debian-installer/messages kernel-image-2.6.8-2-686 module-init-tools Selecting previously deselected package kernel-image-2.6.8-2-686. Unpacking kernel-image-2.6.8-2-686 (from .../kernel-image-2.6.8-2-686_2.6.8-16_i386.deb) ... Setting up kernel-image-2.6.8-2-686 (2.6.8-16) ... So... kernel-image-2.6-686 was never installed until I manually installed it just now. Please consider that other users who do not subscribe to debian-security-announce may be unprotected by relying on aptitude or apt-get upgrades for security upgrades, if my experience is not unusual. Thank you and regards, Ralph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
