Andreas Janssen wrote: > Stephane wrote: > > OK this sounds good to me. But I'm wondering something else now: the > > ptrace exploit was a severe security flaw, so how comes my 2.4.18bf2.4 > > does not get upgraded when I apt-get update with the security source > > in my source-list ?
Good question. It should. What does apt-cache policy say for your
kernel?
apt-cache policy kernel-image-2.4.18-bf2.4
However I am guessing that it is not suggesting that you update since
I will guess that you already have the newer kernel installed and
therefore already have the security fix.
> Because the package management does not know of the install kernel.
Negative. The package management system *does* know about your
installed kernel. And in this case of running the bf24 kernel you
should be getting an update for it if you are running an older version
of it. Note that if you are running a tuned kernel then you won't,
however.
apt-cache policy kernel-image-2.4.18-bf2.4
kernel-image-2.4.18-bf2.4:
Installed: (none)
Candidate: 2.4.18-5woody4
Version Table:
2.4.18-5woody4 0
500 http://security.debian.org stable/updates/main Packages
2.4.18-5 0
500 http://http.us.debian.org stable/main Packages
If you are running the kernel-image-2.4.18-bf2.4 as your kernel
version 2.4.18-5 from the woody release then an apt-get upgrade should
want to upgrade you to version 2.4.18-5woody4 from the security
archive.
> Because normally you would instead install some kernel image built for
> your architecture after installing the base system.
I would say normally as well since I always install a tuned kernel for
my system. It is normal for me anyway. But I see and hear of a lot
of people that are still running the original bootstrapping kernel. I
dare say that is not as unusual as it seems. [I think it is a
disservice to the users for the installer to be leaving the system
with an untuned kernel. It makes the first upgrade more difficult
than it should be for them. Of course after that future kernel
upgrades are easy again. But that is another story.]
If you have installed a tuned kernel then you won't be get a prompt
from 'apt-get upgrade'. DSA-311-1 and others provide the answer.
If you are using the kernel installed by the installation system when
the "bf24" option is selected (for a 2.4.x kernel), you should install
the kernel-image-2.4.18-bf2.4 package. If you installed a different
kernel-image package after installation, you should install the
corresponding 2.4.18-1 kernel. You may use the table below as a
guide.
| If "uname -r" shows: | Install this package:
- ------------------------------------------------------
| 2.4.18-bf2.4 | kernel-image-2.4.18-bf2.4
| 2.4.18-386 | kernel-image-2.4.18-1-386
| 2.4.18-586tsc | kernel-image-2.4.18-1-586tsc
| 2.4.18-686 | kernel-image-2.4.18-1-686
| 2.4.18-686-smp | kernel-image-2.4.18-1-686-smp
| 2.4.18-k6 | kernel-image-2.4.18-1-k6
| 2.4.18-k7 | kernel-image-2.4.18-1-k7
NOTE: that this kernel is not binary compatible with the previous
version. For this reason, the kernel has a different version number
and will not be installed automatically as part of the normal upgrade
process. Any custom modules will need to be rebuilt in order to work
with the new kernel. New PCMCIA modules are provided for all of the
above kernels.
Since the tuned kernels were not binary compatible they will not be
automatically updating your system. But you should seek out those
updates and manually select the appropriate kernel and upgrade.
Hope that helps.
Bob
pgp00000.pgp
Description: PGP signature
