| View previous topic :: View next topic |
| Author |
Message |
tabanus
Guru
Joined: 11 Jun 2004
Posts: 377
Location: UK
|
 Posted: Mon Oct 16, 2006 12:39 pm Post subject: Kernel security updates |
 |
|
Can we have a better way of being informed about kernel security updates, because they don't appear to be included in GLSA?
I run "emerge -u world" weekly, and "emerge -uD world" monthly. That way I keep my system up to date without spending too much time doing it. The one package that I don't routinely update is the kernel, because of the extra time required configuring it. On the whole I stick to odd numbered versions. For example, I'm currently running 2.6.17-r8. When 2.6.17-(r8+x) comes out, I'll update by simply reusing my current kernel .config.
When 2.6.18 is released to stable, I'll just mask it until 2.6.19 is released and that's when I know I need to go through the config one setting at a time and check on all the new features.
But, if I knew there's an important security update in 2.6.18-r(x) I'd update straight away.
_________________
Never underestimate a hamster. |
|
| Back to top |
|
 |
cokehabit
Veteran
Joined: 22 Apr 2004
Posts: 3126
Location: Somewhere in the north of Italy
|
| Posted: Mon Oct 16, 2006 6:28 pm Post subject: |
|
|
How would you like this information? Would this be via a subscription email? Forum posts?
I have sent an email to gentoo-security and gentoo-kernel to get a comment from the people involved.
Personally I think it might be a good idea for an email, kind of like a security-updates@gentoo.org to be sent out weekly or fortnightly. This could include others that you may feel are useful
_________________
ihate - for all your hating needs
pkgcore, the newest and best portage replacement
*STILL* Bigger than Hitler and better than Jesus!!!!!!!! |
|
| Back to top |
|
|
super-lupo
Tux's lil' helper
Joined: 29 Jun 2004
Posts: 89
Location: Germany / Berlin
|
| Posted: Mon Oct 16, 2006 8:12 pm Post subject: |
|
|
This would be a great idea!
The mail solution would probably be the easiest way.
Can´t wait for this.
Regards,
Lupo |
|
| Back to top |
|
|
LD
Apprentice
Joined: 22 Dec 2003
Posts: 226
Location: Exiled to Nashville, Tn
|
|
| Back to top |
|
|
tabanus
Guru
Joined: 11 Jun 2004
Posts: 377
Location: UK
|
| Posted: Tue Oct 17, 2006 5:26 am Post subject: |
|
|
Why not just include it in GLSA? There's no point in having to sign up to another email list.
_________________
Never underestimate a hamster. |
|
| Back to top |
|
|
kallamej
Administrator
Joined: 27 Jun 2003
Posts: 4445
Location: Göteborg, Sweden
|
| Posted: Tue Oct 17, 2006 5:37 am Post subject: |
|
|
Please see post 3450394 for some more context/history.
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.freenode.net |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Tue Oct 17, 2006 9:13 am Post subject: |
|
|
I'm also missing announcements about kernel security vulnerabilities, but I understand some of the reasons (not enough menpower etc.). Another problem is that the installed kernel sources packages do not necessary reflect the running kernel and that an emerge of the sources is not sufficient for updating the running kernel.
| cokehabit wrote: | | How would you like this information? Would this be via a subscription email? Forum posts? |
I favourite an announcement similar to GLSA: On the mailinglist gentoo-announce (maybe cross posted to gentoo-security) AND in Gentoo Weekly News AND on the Forum Index page in Latest Site News (which maybe expanded to 4 entries at a time) AND on a separate project page.
As a workaround to see if an update of the kernel sources is related to a security problem, you can use the option --changelog for emerge:
| Code: | # emerge -pv --changelog hardened-sources
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-kernel/hardened-sources-2.6.16-r11 USE="-build -symlink" 0 kB
Total size of downloads: 0 kB
|
Ok, bad example, because the latest version is already merged. To see the effect and to check the testing branch additionally:
| Code: | # ACCEPT_KEYWORDS="~x86" emerge -pv --changelog hardened-sources
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild NS ] sys-kernel/hardened-sources-2.6.17-r1 USE="-build -symlink" 209 kB
Total size of downloads: 209 kB
*hardened-sources-2.6.17-r1
26 Aug 2006; Christian Heim <phreak@gentoo.org>
+hardened-sources-2.6.17-r1.ebuild:
Revision bump to genpatches-2.6.17-8 (including .9 and .10) and updating the
grsecurity patch.
*hardened-sources-2.6.17
17 Aug 2006; Christian Heim <phreak@gentoo.org>
+hardened-sources-2.6.17.ebuild:
Bumping the hardened-sources-2.6 series to 2.6.17, using
genpatches-2.6.17-6.base.
07 Aug 2006; <solar@gentoo.org> hardened-sources-2.6.16-r11.ebuild:
- stable on x86 and amd64
|
To see the whole changelog and not only changes since your last installed version:
| Code: | | less /usr/portage/sys-kernel/hardened-sources/ChangeLog |
To check the changelog for security vulnerabilities you can run something like
| Code: | | grep -B 4 -A 1 -Ei 'security|cve|vuln' /usr/portage/sys-kernel/hardened-sources/ChangeLog | less |
(But I prefer to view the whole Changelog. It is not too long and the newest entries are on top and you can see the whole context.) |
|
| Back to top |
|
|
tabanus
Guru
Joined: 11 Jun 2004
Posts: 377
Location: UK
|
| Posted: Tue Oct 17, 2006 12:13 pm Post subject: |
|
|
I don't think you need several places for the security announcements, just as long as we all know where it is. I don't think an ebuild change log is really the best place for it.
So, if there is a supposed dedicated project, who is responsible for this? Is it simply a case of lack of manpower preventing the announcements, or is it some other resource or difficulty collating the information?
_________________
Never underestimate a hamster. |
|
| Back to top |
|
|
Shopro
l33t
Joined: 12 May 2004
Posts: 678
Location: Dayton, OH, USA
|
| Posted: Tue Oct 17, 2006 12:19 pm Post subject: |
|
|
This is all I can find: http://www.gentoo.org/proj/en/security/kernel.xml
| Quote: | b) Kernel team status
Just as the GLSA team, the kernel team lacks the sufficient amount of manpower
needed to operate as wished. As a result, the KISS project (a system designed
to release kernel security advisories), originally thought to go live by 2005,
still isn't ready for production use since the manpower to keep it fully
updated is lacking. Although KISS is closely tied to the kernel work, a scout
and a coordinator, who help finding and handling kernel bugs, are needed to
fully implement it. Besides that, a draft of the kernel security policy [2]
has been presented, which is expected to reduce the workload for the
kernel team while improving the general enduser kernel security awareness. |
_________________
Just because I have nothing to say is no reason why you shouldn't listen. |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Tue Oct 17, 2006 1:13 pm Post subject: |
|
|
| tabanus wrote: | | I don't think an ebuild change log is really the best place for it. |
True. That's why I've called it a workaround. 
| tabanus wrote: | | I don't think you need several places for the security announcements, just as long as we all know where it is. |
If the infrastructure is established (and automated), you can reach much more affected users in a short time. That could be essential if it is a critical security issue. GLSAs are announced in all the places I've mentioned ( and also on Bugtraq). Even developers or users with production servers are not (always) reading the forums, and many users are not reading any mailinglists. The research and testing for and the writing of these advisories are much more time consuming than an automated publication to more than one channel.
(Edit: typo  ) |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
| Posted: Tue Oct 17, 2006 8:16 pm Post subject: |
|
|
kernels arent suitable for GLSAs as we have so many of them, it just takes so long to get all the maintainers to fix their kernel packages.
the solution for this was KISS, a dynamic website which tracks kernel security issues and was to allow users to sign up for email notifications. unfortunately development slowed and it didnt work out well from the maintainers end (the maintainers must manually update the website to publish that a kernel is fixed -- this could be mostly automated, but its not)
also the KISS developer is no longer contributing to gentoo. he was also the kernel security person, and i don't think anyone has stepped in to take over that role.
we all have ideas and knowledge of how a system could work. really the issues here are that we dont have anyone developing KISS (or an alternative), and that we dont have someone actively working on kernel security anymore.
_________________
http://dev.gentoo.org/~dsd |
|
| Back to top |
|
|
dsd
Developer
Joined: 30 Mar 2003
Posts: 2162
Location: nr London
|
|
| Back to top |
|
|
cokehabit
Veteran
Joined: 22 Apr 2004
Posts: 3126
Location: Somewhere in the north of Italy
|
| Posted: Tue Oct 17, 2006 8:51 pm Post subject: |
|
|
hmmmmm.
Well i see a few ways from here.
1) We wait for a new developer to take over the KISS project (plasmaroo has left which is a great pity)
2) We could see if it would be possible for a user to take over the project (if we found one to)
3) We could ask if a new mailing list could be created (where devs just copy and paste details, it would be ideal for a developer who has no coding skills as such).
any other ideas?
_________________
ihate - for all your hating needs
pkgcore, the newest and best portage replacement
*STILL* Bigger than Hitler and better than Jesus!!!!!!!! |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Wed Oct 18, 2006 7:36 am Post subject: |
|
|
Sorry to hear that.
| dsd wrote: | | KISS screenshots: |
Looks good.
Judging KISS on the screenshots ("Don't judge a book on its cover", I know..) it presents a good overview of kernel vulnerabilities bugs in Bugzilla and offers good categories to classify the vulnerabilities.
| dsd wrote: | | we dont have someone actively working on kernel security anymore |
Bad news.
In the meantime users concerned about (kernel) security have to make their homework. We all are system administrators in the end, don't we? For many users it will be sufficient to know if:
Latest Most Secure Version == Latest stable version?
Oldest stable version == Fixed Version?
Users that are more interested in details can search on Bugzilla. Kernel vulnerabilities seems to be classified as following:
Product: Gentoo Security
Component: Kernel
Using Advanced Search and using these settings (and adding more search options) is normally sufficient, but you will miss e.g. Bug #113322 as it is filed under Component:Vulnerabilities because a non-kernel package is also affected. Maybe we can get additional predefined search fields in Bugzilla (and a "marker" field in the bug reports which can be set by the assignee) to find all kernel security/vulnerability bugs in one search. Another question: What about vulnerabilities that are known by maintainers/upstream and get fixed without an existing bugreport in Bugzilla? How to inform the users of older kernels? (For me it would be sufficient when the package is removed and the reason is clearly stated in the Changelog, but I guess not all users agree here.) |
|
| Back to top |
|
|
ryker
Guru
Joined: 28 May 2003
Posts: 392
Location: Portage, IN
|
| Posted: Wed Oct 18, 2006 8:59 am Post subject: |
|
|
| cokehabit wrote: |
We could ask if a new mailing list could be created (where devs just copy and paste details, it would be ideal for a developer who has no coding skills as such).
|
If you could define the job requirements a little more, I would probably be willing to volunteer for this. I have been looking for a way to help out with Gentoo, but I'm not familiar with writing code in Linux (beyond writing simple bash scripts).
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
|
Shopro
l33t
Joined: 12 May 2004
Posts: 678
Location: Dayton, OH, USA
|
| Posted: Wed Oct 18, 2006 9:03 am Post subject: |
|
|
| ryker wrote: | | cokehabit wrote: |
We could ask if a new mailing list could be created (where devs just copy and paste details, it would be ideal for a developer who has no coding skills as such).
|
If you could define the job requirements a little more, I would probably be willing to volunteer for this. I have been looking for a way to help out with Gentoo, but I'm not familiar with writing code in Linux (beyond writing simple bash scripts). |
I think I might be able help too.
_________________
Just because I have nothing to say is no reason why you shouldn't listen. |
|
| Back to top |
|
|
tabanus
Guru
Joined: 11 Jun 2004
Posts: 377
Location: UK
|
| Posted: Wed Oct 18, 2006 10:01 am Post subject: |
|
|
OK, it's clearer now what the problem is. I think it might be easier to manage for someone new to this just to take care of gentoo-sources (the default Gentoo kernel I believe), and possibly hardened-sources (for the security concious).
_________________
Never underestimate a hamster. |
|
| Back to top |
|
|
cokehabit
Veteran
Joined: 22 Apr 2004
Posts: 3126
Location: Somewhere in the north of Italy
|
| Posted: Wed Oct 18, 2006 10:52 am Post subject: |
|
|
| ryker wrote: | | cokehabit wrote: | | We could ask if a new mailing list could be created (where devs just copy and paste details, it would be ideal for a developer who has no coding skills as such). |
If you could define the job requirements a little more, I would probably be willing to volunteer for this. I have been looking for a way to help out with Gentoo, but I'm not familiar with writing code in Linux (beyond writing simple bash scripts). |
| Shopro wrote: | | I think I might be able help too. |
Well all that is needed is to find out how all the security alerts come in and then find out when they were fixed and by whom. This would have to be gentoo-sources, hardened sources and vanilla-sources.
I think we need a dev to point us in the right direction. I wonder if there is anything on the LKML about this?
_________________
ihate - for all your hating needs
pkgcore, the newest and best portage replacement
*STILL* Bigger than Hitler and better than Jesus!!!!!!!! |
|
| Back to top |
|
|
djay
Apprentice
Joined: 18 Apr 2005
Posts: 188
Location: Israel
|
| Posted: Wed Oct 18, 2006 8:03 pm Post subject: |
|
|
| cokehabit wrote: | Well all that is needed is to find out how all the security alerts come in and then find out when they were fixed and by whom. This would have to be gentoo-sources, hardened sources and vanilla-sources.
|
How about xml (rss) feeds for alerts? You could have one for all alerts, and separate for each source-package.
The convinience of feeds is that they could be easily parsed, and at the moment of "emerge" xml feed (server) could be contacted and updates since last time would be visible.
Besides, it can be handled as an addition to maillist, not replacement.
I know, it still doesn't solve the problem of getting the alerts in the first place. For this, definitely a dev advice needed. |
|
| Back to top |
|
|
dice
Guru
Joined: 21 Apr 2002
Posts: 577
|
| Posted: Thu Oct 19, 2006 2:23 am Post subject: |
|
|
FYI, a quick way to do a kernel upgrade:
| Code: | # cd /usr/src
# cp linux-oldversion/.config linux-newversion/
# cd linux-newversion
# make oldconfig |
It will keep your previous settings and ask you about any new ones. From there just build the kernel, install modules, and copy the kernel over to /boot as per usual. |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1110
Location: Helsinki, Finland
|
| Posted: Thu Oct 19, 2006 3:56 am Post subject: |
|
|
RSS feed of GLSA's / kernel security updates would be lovely!
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
Xake
Guru
Joined: 11 Feb 2004
Posts: 462
Location: Good old and cold scandinavia
|
| Posted: Thu Oct 19, 2006 4:41 am Post subject: |
|
|
| Janne Pikkarainen wrote: | | RSS feed of GLSA's / kernel security updates would be lovely! |
Second that! |
|
| Back to top |
|
|
kallamej
Administrator
Joined: 27 Jun 2003
Posts: 4445
Location: Göteborg, Sweden
|
| Posted: Thu Oct 19, 2006 7:08 am Post subject: |
|
|
| Janne Pikkarainen wrote: | | RSS feed of GLSA's / kernel security updates would be lovely! |
Anything wrong with this GLSA feed? Of course, that does not solve the topic of this thread.
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.freenode.net |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1110
Location: Helsinki, Finland
|
| Posted: Thu Oct 19, 2006 7:13 am Post subject: |
|
|
| kallamej wrote: | | Anything wrong with this GLSA feed? Of course, that does not solve the topic of this thread. |
Bwah? One exists already! Thank you! Nothing wrong with that feed, except that it was well hidden from me.
I keep an eye on GLSA index page and since it didn't have any hint of RSS, I thought there wouldn't be a feed in existence. Glad I was proven wrong - maybe GLSA index page could be improved to tell about RSS possibility? 
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
ryker
Guru
Joined: 28 May 2003
Posts: 392
Location: Portage, IN
|
| Posted: Thu Oct 19, 2006 9:27 am Post subject: |
|
|
I never noticed that feed either. I agree, it's not a very good place to publicize the feed.
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM |
|
| Back to top |
|
|
|
Gentoo Chat
