On Mon, Jul 04, 2005 at 06:39:38PM -0300, Martin C. wrote: > Hi all... I have a doubt about is kernel-source-2.6.8 package old or it is > not. > I usually use that package for my custom kernels, downloading it with > apt-get from official debian repository. > Days ago, i saw a new bug for kernels 2.6.x > (http://secunia.com/advisories/15812/) but nobody in debian security > team advised about this bug, even in security-announce, and either > kernel-source-2.6.8 in debian repository was updated.
You are correct that the kernel-source has not yet been updated. Don't forget that Debian has to coordinate the build and simulataneous release of lots of kernel-image-* packages. Even with that, serious and critical vulnerabilities (of which the one you cite is not) are dealt with swiftly. > My fear is that kernel-source-2.6.8 package have any bug and my > system is not secure for that reason. > Anybody can answer my question about if k-s package is manteined? or > should I download and compile kernel source from kernel.org and no > more from debian repository? That would be a Bad Idea(TM). Kernels shipping from kernel.org are never patched for security. They simply release new versions. Thus, if kernel x.y.z works for you and some critical vulnerability is announced, you will have to upgrade to kernel x.y.z+1. the reason for that is becuase kernel.org does not directly support end users. It is primarily a source for distribution packagers and maintainers to obtain sources from which to build distribution-specific kernels. If you wanted to continue using kernel x.y.z, you would need to manually backport the security fix yourself (or hire someone to do it, or find work that has already been done on it, e.g., as from the Debian kernel team). > Thanks a lot everybody. You're welcome. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
pgpkJxZhcju0j.pgp
Description: PGP signature
