[Debian] [Announce] [Security] vzctl 4.9.4
Igor Bazhitov
ibazhitov at odin.com
Tue Sep 1 02:14:57 PDT 2015
Hi.
>
> Can you please port the secirity fix to Debian's vzctl 4.8 and provide
> the patch(es) to Ola?
OK, I'll look into it this week.
01.09.2015 00:37, Kir Kolyshkin writes:
>
>
> On 08/31/2015 02:22 PM, Ola Lundqvist wrote:
>> Privet Kir and Igor
>>
>> Sources and patches here:
>> ftp://ftp.debian.org/debian/pool/main/v/vzctl/
>>
>> Source is named .orig.tar.gz
>> and the patches are either in .diff.gz or packaged in .debian.tar.gz
>>
>> I think we should at least backport 4.8 (current stable) and then
>> maybe oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can
>> skip that.
>
> As ploop support only appears in vzctl 3.1 so 3.0.x doesn't need to be
> patched.
>
> Igor,
>
> Can you please port the secirity fix to Debian's vzctl 4.8 and provide
> the patch(es) to Ola?
>
> Kir.
>
>>
>> Thanks in advance
>>
>> // Ola
>>
>> On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com
>> <mailto:kir at odin.com>> wrote:
>>
>>
>>
>> On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
>>> I was. :-) Thanks!
>>>
>>> Will look into this shortly. Will also look into backporting the fix.
>>
>> Ola,
>>
>> I think Igor (in Cc) will be able to provide the fix backported,
>> just let us know which version do you have in Debian (and a link
>> to sources, as I guess you have some patches in there, too).
>>
>> Kir.
>>
>>
>>>
>>> // Ola
>>>
>>> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin
>>> <<mailto:kir at openvz.org>kir at openvz.org> wrote:
>>>
>>>
>>>
>>> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>>>
>>> Hi
>>>
>>> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>>>
>>> Hi again
>>>
>>> Also I can not find where to download the software
>>> (neither binaries nor
>>> sources). Is it only available in git?
>>>
>>> It is not so difficult to find sources.
>>> We have one git repo for openvz sources -
>>> src.openvz.org <http://src.openvz.org>.
>>> vzctl sources are here
>>> <https://src.openvz.org/projects/OVZL/repos/vzctl/browse>https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>>>
>>>
>>> Ola is probably asking about the source tarball. It's here:
>>> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>>>
>>>
>>>
>>>
>>>
>>> Cheers
>>>
>>> // Ola
>>>
>>> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
>>> <<mailto:ola at inguza.com>ola at inguza.com> wrote:
>>>
>>> Hi Sergey
>>>
>>> How serious should we consider this problem?
>>> Should I ask the Debian
>>> security team (Debian do not accept new
>>> revisions, just backports for
>>> security fixes to their stable releases) to
>>> backport this correction to the
>>> current vzctl stable package?
>>>
>>> In the meantime I'll build this 4.9.4 for debian
>>> unstable and also upload
>>> to the openvz download directory. First testing
>>> and then after a few days
>>> to the wheezy and jessie stable targets.
>>>
>>> Regards,
>>>
>>> // Ola
>>>
>>>
>>>
>>> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov
>>> <<mailto:sergeyb at openvz.org>sergeyb at openvz.org>
>>> wrote:
>>>
>>> OpenVZ project has released a new vzctl
>>> update for legacy OpenVZ.
>>> Read below for more information. Everybody is
>>> advised to upgrade.
>>>
>>> Changes
>>> =======
>>> * store VE layout to VE config on start
>>> * store VE layout in VE config during create
>>> and convert
>>>
>>> See full changelog here:
>>> https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>>>
>>> Download
>>> ========
>>> http://wiki.openvz.org/Download/vzctl/4.9.4
>>>
>>>
>>> Thanks
>>> ======
>>> OpenVZ project would like to thank the
>>> RACK911LABS for discovering this
>>> bug and
>>> providing the attack scenario.
>>>
>>>
>>> Bug reporting
>>> =============
>>> Please report all bugs found to
>>> <https://bugs.openvz.org/>https://bugs.openvz.org/
>>>
>>>
>>> Other sources of info on updates
>>> ================================
>>> See http://planet.openvz.org/ to view all the
>>> news (including updates)
>>> online.
>>> There you can also find RSS/Atom feed links.
>>>
>>>
>>> Regards,
>>> OpenVZ team
>>> _______________________________________________
>>> Announce mailing list
>>> Announce at openvz.org <mailto:Announce at openvz.org>
>>> https://lists.openvz.org/mailman/listinfo/announce
>>>
>>>
>>>
>>> --
>>> --- Inguza Technology AB --- MSc in Information
>>> Technology ----
>>> / ola at inguza.com <mailto:ola at inguza.com>
>>> Annebergsslingan 37 \
>>> | opal at debian.org <mailto:opal at debian.org>
>>> 654 65 KARLSTAD |
>>> | http://inguza.com/ Mobile: +46
>>> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
>>> B1CF 0FE5 3DD9 /
>>>
>>> ---------------------------------------------------------------
>>>
>>>
>>>
>>> --
>>> --- Inguza Technology AB --- MSc in Information
>>> Technology ----
>>> / ola at inguza.com <mailto:ola at inguza.com>
>>> Annebergsslingan 37 \
>>> | opal at debian.org <mailto:opal at debian.org>
>>> 654 65 KARLSTAD |
>>> | http://inguza.com/ Mobile: +46
>>> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
>>> 0FE5 3DD9 /
>>>
>>> ---------------------------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>> --
>>> --- Inguza Technology AB --- MSc in Information Technology ----
>>> / ola at inguza.com <mailto:ola at inguza.com>
>>> Annebergsslingan 37 \
>>> | opal at debian.org <mailto:opal at debian.org> 654
>>> 65 KARLSTAD |
>>> | http://inguza.com/ Mobile: +46 (0)70-332 1551
>>> <tel:%2B46%20%280%2970-332%201551> |
>>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>>> ---------------------------------------------------------------
>>>
>>
>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> / <mailto:ola at inguza.com>ola at inguza.com
>> Annebergsslingan 37 \
>> | <mailto:opal at debian.org>opal at debian.org 654 65
>> KARLSTAD |
>> | <http://inguza.com/>http://inguza.com/ Mobile: +46
>> (0)70-332 1551 |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> ---------------------------------------------------------------
>>
>
More information about the Debian
mailing list