[Secure-testing-team] DTSA for 2.6.8 and 2.4.27

[Micah Anderson]

Hi,

I think it would be a good idea to get a DTSA (Debian Testing Security
Advisory) issued for 2.4.27 and 2.6.8. 

2.4.27-11 is already in testing, but the number of security bugs fixed in
this version is significant: there are 9 CAN numbers for 2.4.27-11[1]; and 4
other security patches that do not have CVE entries[2]. It seems that it
would be a good idea to do an advisory to alert people that these security
holes have been fixed and that they need to upgrade and reboot if they
haven't already

2.6.8 is scheduled to be removed from sid, and consequentially in testing as
well, however it may be good to do an advisory to alert those who are
running 2.6.8 to upgrade to linux-2.6 (2.6.12) as the kernel they are
running is not being supported (and the transition is not super obvious) and
the number of security holes for the version in testing (2.6.8-16) adds up
to a whopping 13 CAN numbers[3] and 21 other security patches[4].
      
Neither of these advisories is a typical DTSA, as we normally we only do
advisories for things that are blocked from reaching testing by some other
issue, but I think that it would be good to do these two advisories because
of the sheer number of security holes fixed as well as the necessary upgrade
path that people need to take if they wish to maintain the integrity of
their machines.

I have begun the work to prepare this advisory for release, we basically
need 2.6.8 to leave the archvie and the 2.6.12 packages to enter testing
before the 2.6.8 DTSA can be released. The DTSA would just list the normal
testing repositories for the upgrade (rather than the secure-testing
repositories).


Micah

1. CAN-2005-2458, CAN-2005-2459, CAN-2005-1767, CAN-2005-2456,
CAN-2005-1768, CAN-2005-0756 CAN-2005-0757, CAN-2005-1762, CAN-2005-1768

2. 184_arch-x86_64-ia32-ptrace32-oops.diff,
174_net-ipv4-netfilter-nat-mem.diff, 178_fs_ext2_ext3_xattr-sharing.diff,
179_net-ipv4-netfilter-ip_recent-last_pkts.diff

3. CAN-2005-1763, CAN-2005-1762, CAN-2005-0756, CAN-2005-1265, CAN-2005-0757,
CAN-2005-1765, CAN-2005-1761, CAN-2005-2456, CAN-2005-2548, CAN-2004-2302,
CAN-2005-1767, CAN-2005-2458, CAN-2005-2459 

4. mckinley_icache.dpatch, arch-x86_64-kernel-smp-boot-race.dpatch,
arch-x86_64-mm-ioremap-page-lookup.dpatch,
fs-exec-ptrace-core-exec-race.dpatch, fs-exec-ptrace-deadlock.dpatch, 
fs-exec-posix-timers-leak-1.dpatch, fs-exec-posix-timers-leak-2.dpatch,
fs-hfs-oops-and-leak.dpatch, net-bridge-netfilter-etables-smp-race.dpatch,
net-bridge-forwarding-poison-2.dpatch, net-rose-ndigis-verify.dpatch,
sound-usb-usbaudio-unplug-oops.dpatch, net-ipv4-ipvs-conn_tab-race.dpatch,
arch-ia64-ptrace-getregs-putregs.dpatch, ppc32-time_offset-misuse.dpatch,
netfilter-NAT-memory-corruption.dpatch,
netfilter-ip_conntrack_untracked-refcount.dpatch,
sys_get_thread_area-leak.dpatch, fs_ext2_ext3_xattr-sharing.dpatch,
net-ipv4-netfilter-ip_recent-last_pkts.dpatch,
arch-x86_64-mm-ioremap-page-lookup-fix.dpatch	       
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050908/14807a7c/attachment.pgp