[Debian] [Announce] [Security] vzctl 4.9.4

Ola Lundqvist ola at inguza.com
Mon Aug 31 14:22:27 PDT 2015 

Privet Kir and Igor

Sources and patches here:
ftp://ftp.debian.org/debian/pool/main/v/vzctl/

Source is named .orig.tar.gz
and the patches are either in .diff.gz or packaged in .debian.tar.gz

I think we should at least backport 4.8 (current stable) and then maybe
oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip that.

Thanks in advance

// Ola

On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com> wrote:

>
>
> On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
>
> I was. :-) Thanks!
>
> Will look into this shortly. Will also look into backporting the fix.
>
>
> Ola,
>
> I think Igor (in Cc) will be able to provide the fix backported,
> just let us know which version do you have in Debian (and a link
> to sources, as I guess you have some patches in there, too).
>
> Kir.
>
>
>
> // Ola
>
> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin <kir at openvz.org> wrote:
>
>>
>>
>> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>>
>>> Hi
>>>
>>> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>>>
>>>> Hi again
>>>>
>>>> Also I can not find where to download the software (neither binaries nor
>>>> sources). Is it only available in git?
>>>>
>>> It is not so difficult to find sources.
>>> We have one git repo for openvz sources -
>>> src.openvz.org.
>>> vzctl sources are here
>>> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>>>
>>
>> Ola is probably asking about the source tarball. It's here:
>> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>>
>>
>>
>>>
>>> Cheers
>>>>
>>>> // Ola
>>>>
>>>> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist < <ola at inguza.com>
>>>> ola at inguza.com> wrote:
>>>>
>>>> Hi Sergey
>>>>>
>>>>> How serious should we consider this problem? Should I ask the Debian
>>>>> security team (Debian do not accept new revisions, just backports for
>>>>> security fixes to their stable releases) to backport this correction
>>>>> to the
>>>>> current vzctl stable package?
>>>>>
>>>>> In the meantime I'll build this 4.9.4 for debian unstable and also
>>>>> upload
>>>>> to the openvz download directory. First testing and then after a few
>>>>> days
>>>>> to the wheezy and jessie stable targets.
>>>>>
>>>>> Regards,
>>>>>
>>>>> // Ola
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov <sergeyb at openvz.org>
>>>>> wrote:
>>>>>
>>>>> OpenVZ project has released a new vzctl update for legacy OpenVZ.
>>>>>> Read below for more information. Everybody is advised to upgrade.
>>>>>>
>>>>>> Changes
>>>>>> =======
>>>>>> * store VE layout to VE config on start
>>>>>> * store VE layout in VE config during create and convert
>>>>>>
>>>>>> See full changelog here:
>>>>>> https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>>>>>>
>>>>>> Download
>>>>>> ========
>>>>>> http://wiki.openvz.org/Download/vzctl/4.9.4
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> ======
>>>>>> OpenVZ project would like to thank the RACK911LABS for discovering
>>>>>> this
>>>>>> bug and
>>>>>> providing the attack scenario.
>>>>>>
>>>>>>
>>>>>> Bug reporting
>>>>>> =============
>>>>>> Please report all bugs found to <https://bugs.openvz.org/>
>>>>>> https://bugs.openvz.org/
>>>>>>
>>>>>>
>>>>>> Other sources of info on updates
>>>>>> ================================
>>>>>> See http://planet.openvz.org/ to view all the news (including
>>>>>> updates)
>>>>>> online.
>>>>>> There you can also find RSS/Atom feed links.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>      OpenVZ team
>>>>>> _______________________________________________
>>>>>> Announce mailing list
>>>>>> Announce at openvz.org
>>>>>> https://lists.openvz.org/mailman/listinfo/announce
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>>   --- Inguza Technology AB --- MSc in Information Technology ----
>>>>> /  ola at inguza.com                    Annebergsslingan 37        \
>>>>> |  opal at debian.org                   654 65 KARLSTAD            |
>>>>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551
>>>>> <%2B46%20%280%2970-332%201551> |
>>>>> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>>>>>   ---------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>> --
>>>>   --- Inguza Technology AB --- MSc in Information Technology ----
>>>> /  ola at inguza.com                    Annebergsslingan 37        \
>>>> |  opal at debian.org                   654 65 KARLSTAD            |
>>>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551
>>>> <%2B46%20%280%2970-332%201551> |
>>>> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>>>>   ---------------------------------------------------------------
>>>>
>>>
>>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /   <ola at inguza.com>ola at inguza.com                    Annebergsslingan 37
>        \
> |   <opal at debian.org>opal at debian.org                   654 65 KARLSTAD
>          |
> |   <http://inguza.com/>http://inguza.com/                Mobile: +46
> (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Annebergsslingan 37        \
|  opal at debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20150831/ae8af897/attachment-0001.html>

More information about the Debian mailing list