On Tue, May 14, 2013 at 09:36:12AM -0700, John Andreasson wrote:
> Hi.
>
> Was just alerted of a kernel bug in RHEL [1], but when testing the sample
> code on Wheezy as an unprivileged user it successfully gives me a root
> prompt. Kind of suboptimal. :-(
>
> Any idea when this is fixed?
We're i
On Thu, May 10, 2012 at 04:46:25PM +0100, Pedro Mendes Jorge wrote:
>
>
> On 05/10/2012 02:47 PM, dann frazier wrote:
> > On Thu, May 10, 2012 at 03:39:58AM -0700, Mark Rushing wrote:
> >> This mistake made it onto a few machines here before I noticed and
> >&
On Thu, May 10, 2012 at 03:39:58AM -0700, Mark Rushing wrote:
> This mistake made it onto a few machines here before I noticed and
> came to check... it's an okay update to have installed, in the
> meantime though, yes? I mean, it's not some untested
> work-in-progress that slipped in... that I sh
On Wed, Feb 01, 2012 at 02:32:19PM +, Ben Hutchings wrote:
> On Wed, 2012-02-01 at 10:51 +0100, Yves-Alexis Perez wrote:
> > On mer., 2012-02-01 at 10:34 +0100, Wouter Verhelst wrote:
> > > On Wed, Feb 01, 2012 at 10:24:40AM +0100, Yves-Alexis Perez wrote:
> > > > On mar., 2012-01-31 at 11:01 -
On Sat, Jun 18, 2011 at 11:28:25PM -0400, Eric d'Halibut wrote:
> Hi Dann,
>
> PMFJI...
>
> On 6/18/11, dann frazier wrote:
>
> > However, given the high frequency at which low-severity security
> > issues are discovered in the kernel and the resource
On Wed, Feb 16, 2011 at 07:59:16AM -0200, Henrique de Moraes Holschuh wrote:
> On Wed, 16 Feb 2011, Pascal Hambourg wrote:
> > Johan Grönqvist a écrit :
> > > 2011-02-15 22:46, Kelly Dean skrev:
> > >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> > >> published Sept 30, 2010,
Dan and others have been finding several issues like this
lately. Debian is tracking them and we will include fixes in a future
kernel update. As this class of issue is relatively minor and
frequent, we don't push out a kernel update immedatiately each time
one pops up. Rather, we queue them until
See http://bugs.debian.org/573490
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100311231422.gd22...@lackof.org
e system.
You would need to shutdown all users of kvm and unload the existing
module as well.
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100311004114.ge1...@lackof.org
On Wed, Mar 10, 2010 at 04:09:48PM -0500, Daniel Kahn Gillmor wrote:
> On 03/10/2010 02:49 PM, dann frazier wrote:
> > On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote:
> >> It's not clear to me from the instructions above whether users should
> >
On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote:
> Hi Debian Security folks--
>
> On 03/10/2010 01:18 PM, dann frazier wrote:
> >
> > Debian Security Advisory DSA-2010
On Sun, Feb 28, 2010 at 08:53:30PM -0700, dann frazier wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - --
> Debian Security Advisory DSA-2004-1secur...@debian.org
> http://www.d
ase. I'd
suggest just watching for debian-security-announce for an update. If
you want to see what will be fixed, I'd suggest taking a look at the
current changelogs in svn:
http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/changelog
http://svn.de
machine, partly since it
> > offers this protection.
> >
> Thanks Dominic,
>
> So would
>
> sudo apt-get install linux-image-2.6.24-etchnhalf.1-686
>
> be the right approach here?
A combination of that and the mmap_min_addr.conf file would do the trick.
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> under Debian 4.0.
There isn't a pre-existing mmap_min_addr.conf, you need to create it.
You can view the current value in /proc:
# cat /proc/sys/vm/mmap_min_addr
> What is the right way to proceed? Should I be looking at upgrading my servers?
>
> Thanks!
>
> John
>
rom the list. Last time this happened it was due to a non-ascii
character in the text, I'll retry in a moment.
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
should have
> 2.6.30-8 or higher for sid and 2.6.26-19 or higher for lenny (not sure
> where your 2.6.22 version came from, but i would recommend installing
> an official kernel package instead of that one; otherwise you have no
> security support at all).
>
> mike
&g
not all the security announcements go there, but why is
> the 2.6.24 fix listed but 2.6.18 is not? Is 2.6.24 considered as the
> 'default' etch kernel?
2.6.18 and 2.6.24 are equally supported for etch.
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
/debian-security/2009/07/msg00096.html ?
I haven't personally looked at this, though personally I think a more
structured DTD would be cool. fyi, you might want to cc
t...@security.debian.org when you want you are directing mail to the
security team.
> On Sun, Aug 16, 2009 at 02:5
On Mon, Aug 17, 2009 at 02:20:24PM +, Harald Weidner wrote:
> Hello,
>
> dann frazier :
>
> >The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's
> >2.6.24 kernel.
>
> Will there also be a fix for etch's 2.6.18 kernel?
http://l
saludo
The previous fix was for lenny's 2.6.26 kernel. This fix is for etch's
2.6.24 kernel.
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
-mail (off-list please) about which flavor you are
testing. Thanks!
--
dann frazier
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
ebian lenny-proposed-security-updates main
If you are interested in participating, please upgrade your system and
send me an e-mail (off-list please) about which flavor you are
testing. Thanks!
--
dann frazier
signature.asc
Description: Digital signature
On Fri, Dec 12, 2008 at 08:53:43AM +, Marcin Owsiany wrote:
> On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote:
> > On Thu, Dec 11, 2008 at 06:49:59PM +, Dominic Hargreaves wrote:
> > > On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote:
> >
On Thu, Dec 11, 2008 at 05:06:52PM +, Dominic Hargreaves wrote:
> On Thu, Dec 04, 2008 at 10:59:11AM -0700, dann frazier wrote:
>
> > Package: linux-2.6.24
> > Vulnerability : denial of service/privilege escalation
> > Problem type : local/remote
> >
On Thu, Dec 11, 2008 at 06:49:59PM +, Dominic Hargreaves wrote:
> On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote:
> > Yes - 2.6.18 is in stable, and as such will be security supported for
> > at least another year. Minor/local DoS security issues in the kern
elease, so it also receives
security fixes.
You can lookup the status of individual issues by CVE name here:
http://security-tracker.debian.net/tracker/
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
en below:
> apt-get update
> will update the internal database apt-get upgrade
> will install corrected packages"
Its correct in the archives - maybe an issue on your end?
http://lists.debian.org/debian-security-announce/2008/msg00245.html
--
dann frazier
--
To UNSUBS
> the 2.6.18 kernel series in Debian? If I believe this link, this bug is
> not limited to 2.6.24 in Etch-and-a-half.
The code affected by CVE-2008-3915 was added between 2.6.18 and
2.6.19. Fixes for CVE-2008-3276 and CVE-2007-6716 are pending for the
next 2.6.18 update.
> http://web.nv
e Feb 12 06:40:50 UTC 2008 x86_64
>
> Is it something I am not doing right?
Are you sure you're running a debian-provided kernel?
I'd expect to see something like 2.6.18-6-xen-amd64 in the uname.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of &
4, no need for that one.
>
> Thanks for your concern, Max.
>
> I will wait for a response from security or release team before working
> more on this.
Jonas,
Your patch (w/o the firewire changes, as Maks points out), looks
good to me. Please go ahead and upload to stable.
--
es are typically queued to avoid churn and there
is some amount of resource contention.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
) that resulted in
missing binary modules. It is true that sarge is no longer security
supported, but since this was a regression caused by a security update
we went ahead and released the fix.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe&qu
https://bugzilla.redhat.com/attachment.cgi?id=294062
>
>
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, May 12, 2008 at 11:52:27PM +0100, Dominic Hargreaves wrote:
> On Mon, May 12, 2008 at 03:13:14PM -0600, dann frazier wrote:
>
> > Vulnerability : denial of service
>
> > CVE-2008-1669
> >
> > Alexander Viro discovered a race condition in the fcntl c
uid update process for non-security/critical issues,
but it doesn't exist at the moment. The security team controls what
goes out as a security update, and we're not going to get the security
team to release a security update for a non-security issue.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ne else's N, but we can certainly be
proud to have honored the commitment we made to our users.
Using # of years of support as a measurement of "goodness" is as silly
as using # of advisories as a measurement of an OS's "secureness".
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, Mar 03, 2008 at 06:09:08PM -0700, dann frazier wrote:
> On Fri, Feb 29, 2008 at 05:06:18PM +0100, Vladislav Kurz wrote:
> > Hello all,
> >
> > I wanted to file this through BTS but I'm not sure which package is the
> > right
> > place ot file kern
ausing system crash and maybe
> even filesystem corruption at least with ext2 filesystem.
Thanks for the report. There will be another update soon to fix this
issue.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
released an update
> for linux-latest because of the ABI transition due to the stable
> upgrade.
The last DSA included one that should work (6etch3) - it was released
via security and is pending in proposed-updates.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
?
>
> No as you can see on:
> http://security-tracker.debian.net/tracker/CVE-2008-0001
It is pending the next kernel update, as you can see here:
http://people.debian.org/~dannf/kernel-sec-status.html
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject o
1428) or
> 2.6.18.dfsg.1-13etch6 (DSA 1436) have been merged.
>
> Is this an omission in the changelog, or should one expect a new DSA soon?
The changelog entries for 13etch5 and 13etch6 are included in the -17
changelog, there just isn't an explicit separate note about the merge.
--
On Mon, Dec 10, 2007 at 10:51:52PM -0700, dann frazier wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> - --
> Debian Security Advisory DSA 1428-1[EMAIL PROTECTED]
> htt
On Wed, Oct 10, 2007 at 09:15:42AM -0700, Mike Bird wrote:
> On Tuesday 02 October 2007 19:07, dann frazier wrote:
> > At the time of this DSA, only the build for the amd64 architecture is
> > available. Due to the severity of the amd64-specific issues, we are
> > releasing
ither
the debian-user list or VMware, Inc.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
S but
> ia32entry-xen.S which is located in linux-2.6-xen-sparse.
>
> I have attached the patch to fix CVE-2007-4573 for Xen-x86_64
Thanks Ralf (and Tim) - I'll try to get a new update sent out this
afternoon.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a s
> So I ended up with not knowing what to do and turned to the debian security
> list. you people have any idea, or what are you doing?
Wouldn't a better option be to teach fail2ban how to parse the "last
message repeated".. messages?
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
han the standard boilerplate in the
> advisory.
If the ABI change was introduced by the security update I'd agree -
but technically it was introduced by 4.0r1 (which includes rebuilds of
the various linux-modules- packages). The ABI change is noted in the
4.0r1 announcement.
--
dann frazier
On Thu, Aug 16, 2007 at 09:34:58AM +0100, Dominic Hargreaves wrote:
> On Thu, Aug 16, 2007 at 09:44:12AM +0200, Bj?rn Mork wrote:
> > dann frazier <[EMAIL PROTECTED]> writes:
> >
> > > If you are using the apt-get package manager, use the line for
>
On Thu, Aug 16, 2007 at 09:44:12AM +0200, Bj?rn Mork wrote:
> dann frazier <[EMAIL PROTECTED]> writes:
>
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> >
> > apt-get update
> > will update
>
> deb http://security.debian.org/ sarge/updates main
>
> Any ideas why?
Looks fine to me, what problem are you seeing?
Are you sure you have the proper meta packages installed to deal with
ABI changing updates (e.g., kernel-image-2.6-686)?
--
dann frazier
--
To UNSUBSCRIBE, e
On Fri, Jun 15, 2007 at 07:16:00PM +0200, Willi Mann wrote:
> However, the advisory is still missing.
Yes, so are 3 archs - we're working on it :)
If you're curious, you can see the draft dsa text here:
svn cat svn://svn.debian.org/svn/kernel-sec/dsa-texts/2.6.8-sarge7
--
dann fra
ed here?
[EMAIL PROTECTED]:~$ wget -O - \
http://security.debian.org/dists/sarge/updates/main/binary-i386/Packages.gz \
2> /dev/null | gunzip | grep kernel-image-2.6-386
Package: kernel-image-2.6-386
Filename:
pool/updates/main/k/kernel-latest-2.6-i386/kernel-image-2.6-386_101sarge2_i386.deb
ins who prefer to use ar and run the maintainer
scripts by hand, and of course they are free to do so.
But, imo, Debian should document a single recommended procedure - and
direct execution of dpkg isn't something I'd recommend.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PRO
ay that 2.6.20-1 included fixes
for all of these issues.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
before Christmas).
Thanks for your reply. Once this is accepted upstream, I think it is
reasonable to do another sarge update to restore this functionality.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
e the patch to actually limit extent sizes instead of
the overall size of the file?
[1]
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=00a2b0f6dd2372842df73de72d51621b539fea44
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
minutes). I like the idiot-proof factor. Yes, they can ignore the
> popups, but they come so quickly that even the most stubborn user will
> get sick of them and reboot. I'd hate it if I was a Windows user,
> though, I'm sure!
Would this help?
http://lists.debian.org/debian-d
t;
> > http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_i386.deb
> > Size/MD5 checksum: 528482 674bc0f5a55b5a9c089776946881912e
> >
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
x27;d suggest. But to reiterate, if
something in a kernel update causes the patch to no longer apply, I
would want to have a reliable contact (hopefully 2 people) whom we can
call upon for assistance.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsu
patches were mostly
adding intents, etc - stuff that I thought had been merged upstream in
2.6.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, Jul 17, 2006 at 06:13:28PM +0200, Moritz Muehlenhoff wrote:
> There hasn't been an ABI change this time, so this wasn't necessary.
Explained here:
http://wiki.debian.org/DebianKernelABIChanges
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with
We should be noting this in the kernel DSAs; I'll try to correct this
next time.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Sun, May 21, 2006 at 01:55:27PM +0900, Seiji Kaneko wrote:
> Please re-issue this DSA. It is just broken.
>
How so?
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
pport ends next month, so there probably
won't be anything beyond this update.
--
dann frazier
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
d clearly
be other security fixes that were fixed upsream that weren't brought
to mitre's attention.
> And is there any public status / shape information on the debian kernels?
For issue-by-issue status, see svn://svn.debian.org/svn/kernel/patch-tracking
--
dann frazier
--
On Fri, Mar 24, 2006 at 10:00:11AM -0500, Kevin B. McCarty wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> For those running a Sparc with 2.4 kernel, it doesn't look like the
> metapackages "kernel-image-2.4-sparc{32,64}{,-smp}" have been updated
> correctly for Sarge -- they still de
On Fri, Mar 24, 2006 at 09:29:01AM -0500, Deepak Goel wrote:
> (sarge)
>
> Is the k7 package incorrectly uploaded by any chance?
The Packages file looks fine to me..
Do you have kernel-image-2.6-k7 installed? The updated version
of this package should pull in the kernel-image-2.6.8-3-k7 update.
On Tue, 2005-12-20 at 00:07 +0100, Johann Glaser wrote:
> Hi!
>
> Am Mittwoch, den 14.12.2005, 23:34 +0100 schrieb Martin Schulze:
> > [...]
> > Debian Security Advisory DSA 922-1 [EMAIL PROTECTED]
> > [...]
> > CVE IDs: CVE-2004-2302 CVE-2005-0756 CVE-2005-0757 CVE-200
On Wed, 2005-09-07 at 10:07 -0700, peace bwitchu wrote:
> Are the kernel packages in Sarge currently supported
> by the security team? I know that support for the
> kernel packages in Woody were dropped and you needed
> to roll your own for security updates. Is this how it
> is going to be in Sar
70 matches
Mail list logo
