[Secure-testing-team] Re: DTSA for 2.6.8 and 2.4.27

[Horms]

On Thu, Sep 08, 2005 at 09:17:25PM -0500, Micah Anderson wrote:
> Hi,
> 
> I think it would be a good idea to get a DTSA (Debian Testing Security
> Advisory) issued for 2.4.27 and 2.6.8. 
> 
> 2.4.27-11 is already in testing, but the number of security bugs fixed in
> this version is significant: there are 9 CAN numbers for 2.4.27-11[1]; and 4
> other security patches that do not have CVE entries[2]. It seems that it
> would be a good idea to do an advisory to alert people that these security
> holes have been fixed and that they need to upgrade and reboot if they
> haven't already
> 
> 2.6.8 is scheduled to be removed from sid, and consequentially in testing as
> well, however it may be good to do an advisory to alert those who are
> running 2.6.8 to upgrade to linux-2.6 (2.6.12) as the kernel they are
> running is not being supported (and the transition is not super obvious) and
> the number of security holes for the version in testing (2.6.8-16) adds up
> to a whopping 13 CAN numbers[3] and 21 other security patches[4].
>       
> Neither of these advisories is a typical DTSA, as we normally we only do
> advisories for things that are blocked from reaching testing by some other
> issue, but I think that it would be good to do these two advisories because
> of the sheer number of security holes fixed as well as the necessary upgrade
> path that people need to take if they wish to maintain the integrity of
> their machines.
> 
> I have begun the work to prepare this advisory for release, we basically
> need 2.6.8 to leave the archvie and the 2.6.12 packages to enter testing
> before the 2.6.8 DTSA can be released. The DTSA would just list the normal
> testing repositories for the upgrade (rather than the secure-testing
> repositories).
> 
> 
> Micah
> 
> 1. CAN-2005-2458, CAN-2005-2459, CAN-2005-1767, CAN-2005-2456,
> CAN-2005-1768, CAN-2005-0756 CAN-2005-0757, CAN-2005-1762, CAN-2005-1768
> 
> 2. 184_arch-x86_64-ia32-ptrace32-oops.diff,
> 174_net-ipv4-netfilter-nat-mem.diff, 178_fs_ext2_ext3_xattr-sharing.diff,
> 179_net-ipv4-netfilter-ip_recent-last_pkts.diff
> 
> 3. CAN-2005-1763, CAN-2005-1762, CAN-2005-0756, CAN-2005-1265, CAN-2005-0757,
> CAN-2005-1765, CAN-2005-1761, CAN-2005-2456, CAN-2005-2548, CAN-2004-2302,
> CAN-2005-1767, CAN-2005-2458, CAN-2005-2459 
> 
> 4. mckinley_icache.dpatch, arch-x86_64-kernel-smp-boot-race.dpatch,
> arch-x86_64-mm-ioremap-page-lookup.dpatch,
> fs-exec-ptrace-core-exec-race.dpatch, fs-exec-ptrace-deadlock.dpatch, 
> fs-exec-posix-timers-leak-1.dpatch, fs-exec-posix-timers-leak-2.dpatch,
> fs-hfs-oops-and-leak.dpatch, net-bridge-netfilter-etables-smp-race.dpatch,
> net-bridge-forwarding-poison-2.dpatch, net-rose-ndigis-verify.dpatch,
> sound-usb-usbaudio-unplug-oops.dpatch, net-ipv4-ipvs-conn_tab-race.dpatch,
> arch-ia64-ptrace-getregs-putregs.dpatch, ppc32-time_offset-misuse.dpatch,
> netfilter-NAT-memory-corruption.dpatch,
> netfilter-ip_conntrack_untracked-refcount.dpatch,
> sys_get_thread_area-leak.dpatch, fs_ext2_ext3_xattr-sharing.dpatch,
> net-ipv4-netfilter-ip_recent-last_pkts.dpatch,
> arch-x86_64-mm-ioremap-page-lookup-fix.dpatch	       

That seems fine to me, at a glance. Though there have been some
aditional bugs fixed in SVN. I have added the relevant patches to all
trees that were effected, though as only 2.4.27 and 2.6.12 are reevant
to this discussion. It might be a good time to spin 2.4.27-12 and get
that into unstable. And linux-2.6 2.6.12-6, which was released earleier
this week, should be up to date.

I've also added team at security.debian.org, as I would like to keep
them in the loop with regards to security activity.

-- 
Horms