[Debian] [Announce] [Security] vzctl 4.9.4

Mon Aug 31 14:17:19 PDT 2015

On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
> I was. :-) Thanks!
>
> Will look into this shortly. Will also look into backporting the fix.

Ola,

I think Igor (in Cc) will be able to provide the fix backported,
just let us know which version do you have in Debian (and a link
to sources, as I guess you have some patches in there, too).

Kir.

>
> // Ola
>
> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin <kir at openvz.org 
> <mailto:kir at openvz.org>> wrote:
>
>
>
>     On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>
>         Hi
>
>         On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>
>             Hi again
>
>             Also I can not find where to download the software
>             (neither binaries nor
>             sources). Is it only available in git?
>
>         It is not so difficult to find sources.
>         We have one git repo for openvz sources -
>         src.openvz.org <http://src.openvz.org>.
>         vzctl sources are here
>         https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>
>
>     Ola is probably asking about the source tarball. It's here:
>     http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>
>
>
>
>             Cheers
>
>             // Ola
>
>             On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
>             <ola at inguza.com <mailto:ola at inguza.com>> wrote:
>
>                 Hi Sergey
>
>                 How serious should we consider this problem? Should I
>                 ask the Debian
>                 security team (Debian do not accept new revisions,
>                 just backports for
>                 security fixes to their stable releases) to backport
>                 this correction to the
>                 current vzctl stable package?
>
>                 In the meantime I'll build this 4.9.4 for debian
>                 unstable and also upload
>                 to the openvz download directory. First testing and
>                 then after a few days
>                 to the wheezy and jessie stable targets.
>
>                 Regards,
>
>                 // Ola
>
>
>
>                 On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov
>                 <sergeyb at openvz.org <mailto:sergeyb at openvz.org>>
>                 wrote:
>
>                     OpenVZ project has released a new vzctl update for
>                     legacy OpenVZ.
>                     Read below for more information. Everybody is
>                     advised to upgrade.
>
>                     Changes
>                     =======
>                     * store VE layout to VE config on start
>                     * store VE layout in VE config during create and
>                     convert
>
>                     See full changelog here:
>                     https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>
>                     Download
>                     ========
>                     http://wiki.openvz.org/Download/vzctl/4.9.4
>
>
>                     Thanks
>                     ======
>                     OpenVZ project would like to thank the RACK911LABS
>                     for discovering this
>                     bug and
>                     providing the attack scenario.
>
>
>                     Bug reporting
>                     =============
>                     Please report all bugs found to
>                     https://bugs.openvz.org/
>
>
>                     Other sources of info on updates
>                     ================================
>                     See http://planet.openvz.org/ to view all the news
>                     (including updates)
>                     online.
>                     There you can also find RSS/Atom feed links.
>
>
>                     Regards,
>                          OpenVZ team
>                     _______________________________________________
>                     Announce mailing list
>                     Announce at openvz.org <mailto:Announce at openvz.org>
>                     https://lists.openvz.org/mailman/listinfo/announce
>
>
>
>                 --
>                   --- Inguza Technology AB --- MSc in Information
>                 Technology ----
>                 / ola at inguza.com <mailto:ola at inguza.com>              
>                     Annebergsslingan 37        \
>                 | opal at debian.org <mailto:opal at debian.org>            
>                      654 65 KARLSTAD            |
>                 | http://inguza.com/       Mobile: +46 (0)70-332 1551
>                 <tel:%2B46%20%280%2970-332%201551> |
>                 \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
>                 0FE5 3DD9  /
>                 ---------------------------------------------------------------
>
>
>
>             -- 
>               --- Inguza Technology AB --- MSc in Information
>             Technology ----
>             / ola at inguza.com <mailto:ola at inguza.com>                  
>             Annebergsslingan 37        \
>             | opal at debian.org <mailto:opal at debian.org>                
>              654 65 KARLSTAD            |
>             | http://inguza.com/     Mobile: +46 (0)70-332 1551
>             <tel:%2B46%20%280%2970-332%201551> |
>             \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5
>             3DD9  /
>             ---------------------------------------------------------------
>
>
>
>
>
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology ----
> / ola at inguza.com <mailto:ola at inguza.com>  Annebergsslingan 37        \
> | opal at debian.org <mailto:opal at debian.org>   654 65 KARLSTAD            |
> | http://inguza.com/  Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20150831/dce4fbcf/attachment-0001.html>