Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.debian.org > debian-security > 08 > 010522.html (Request Expert lists.debian.org Support)

Re: [SECURITY] [DSA 1458-1] New openafs packages fix denial of service vulnerability

From: Thomas Bushnell BSG <tb(at)becket.net>
Date: Fri Jan 11 2008 - 01:24:28 EST

On Thu, 2008-01-10 at 23:37 -0500, Noah Meyerhans wrote:
> On Thu, Jan 10, 2008 at 11:25:07PM -0500, Thomas Bushnell BSG wrote:
> > > Except that the security flaw is in the fileserver, which does not
> > > involve the kernel module at all and runs fine even without it
> > > installed.
> >
> > Surely. But then the security update shouldn't mention unaffected
> > packages!
>
> All binary packages built from a given source package are updated
> together. Yes, this is inefficient when many binary packages are built
> from a single source packages. We mention all the binary packages in
> the advisory because they're the versions that are going to be installed
> by apt* and people are going to want checksums, file sizes, etc. We
> don't have any sane mechanism for updating a subset of a source
> package's binary packages. Until we do (don't hold your breath) we will
> continue to provide all the information we're currently providing.
>
> Surely you must have wondered in the past why a DSA for xfree86 required
> you to install new fonts...

No, I was happy to think as you describe: that the assumption is that all binary packages are updated together.

But I was just told that this is not actually the point. See, I noted that the posted instructions would *fail* to actually update all the binary packages together, and was told that this is not actually the point.

Perhaps instead of defensiveness, the real issue is this: installing upgraded debian packages is not sufficient, in the presence of kernel module source packages, to effect the necessary upgrades. Security announcements should make this clear, and contain correct complete instructions for whichever packages are mentioned.

If a security bug were found in the afs client-side package, which is implemented as a kernel module, would the announcement not look just like the one we saw for DSA 1458-1?

Thomas 

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Received on Fri Jan 11 01:23:58 2008

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:55:10 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library