Bill Moseley wrote: > Once again I'm not clear about a security posting. > > Wichert's post about the Debian hacked machines and the integer overflow > in the Kernel talks about the 2.4.18 source package being updated. > But my machines are all using the package: > > kernel-source-2.4.20 - Linux kernel source for version 2.4.20 with Debian patches
That is probably the kernel from woody-proposed-updates and not from woody itself. You are affectively running a backport. I may even have been the one to have suggested that to you some time ago. It sounds very familiar. Sorry that it is now an issue to resolve. Fortunately this is pretty easy. The woody-proposed-updates is just an area of backports which the maintainer feels is a candidate for a update into woody. That is subject to the release manager's approval. The rules for that are strict and many things in the proposed updates area do not meet those rules. So I would not point to there and upgrade everything, for example. But using the 2.4.20 kernel from there has been convenient. > So how would I get this patch? Of course this is so new that 2.4.23 does not even exist in unstable at this moment! The latest I see there is 2.4.22. But I imagine one will appear there shortly. If you can be patient then I would wait a day. Through unstable is the easiest way for these updates to flow. Unfortunately without a 2.4.23 in unstable it won't be available other places such as the backports (with the Debian patches) either. Until then you have a couple of options. If fixing this vulnerability is really an immediate need and you want the least hassle then install the fixed 2.4.18 versions as announced in the DSA, boot that and remove the vulnerable 2.4.20 versions. But if you your original reason for going to 2.4.20 was that you needed the later drivers (a common case) then going back to 2.4.18 won't be good. It would leave your system unusable. In which case you will need to move forward, ever forward to 2.4.23. If you cannot wait then you would need to compile the 2.4.23 kernel yourself. That was released only three days ago and has not propagated through to Debian unstable yet. Of course some people always build their own kernels. I used to be one of those but now I try to reuse other people's work as much as possible. But if you want to compile your own kernel then download the source from kernel.org, use make-kpkg and follow the directions from http://newbiedoc.sourceforge.net/system/kernel-pkg.html. Of course you might like the Debian patches. If you can wait, it has only been three days, then I would wait for 2.4.23 to become available in unstable with all of the patches applied then use make-kpkg to build it for woody. Or lobby the maintainer to do that and to put a copy in woody-proposed-updates since that is so convenient. Bob
pgp00000.pgp
Description: PGP signature
