[Debian] [Announce] [Security] vzctl 4.9.4
Igor Bazhitov
ibazhitov at odin.com
Thu Sep 3 03:36:43 PDT 2015
Hi, Ola.
There are 4 patches in the original fix - 2 of them making various
preparations and the other 2 do the actual fix. Do you need them ported
to vzctl-4.8 as is, or as one big cumulative patch?
WBR, Igor Bazhitov.
01.09.2015 00:22, Ola Lundqvist writes:
> Privet Kir and Igor
>
> Sources and patches here:
> ftp://ftp.debian.org/debian/pool/main/v/vzctl/
>
> Source is named .orig.tar.gz
> and the patches are either in .diff.gz or packaged in .debian.tar.gz
>
> I think we should at least backport 4.8 (current stable) and then maybe
> oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip that.
>
> Thanks in advance
>
> // Ola
>
> On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com
> <mailto:kir at odin.com>> wrote:
>
>
>
> On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
>> I was. :-) Thanks!
>>
>> Will look into this shortly. Will also look into backporting the fix.
>
> Ola,
>
> I think Igor (in Cc) will be able to provide the fix backported,
> just let us know which version do you have in Debian (and a link
> to sources, as I guess you have some patches in there, too).
>
> Kir.
>
>
>>
>> // Ola
>>
>> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin <kir at openvz.org
>> <mailto:kir at openvz.org>> wrote:
>>
>>
>>
>> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>>
>> Hi
>>
>> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>>
>> Hi again
>>
>> Also I can not find where to download the software
>> (neither binaries nor
>> sources). Is it only available in git?
>>
>> It is not so difficult to find sources.
>> We have one git repo for openvz sources -
>> src.openvz.org <http://src.openvz.org>.
>> vzctl sources are here
>> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>>
>>
>> Ola is probably asking about the source tarball. It's here:
>> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>>
>>
>>
>>
>>
>> Cheers
>>
>> // Ola
>>
>> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
>> <<mailto:ola at inguza.com>ola at inguza.com
>> <mailto:ola at inguza.com>> wrote:
>>
>> Hi Sergey
>>
>> How serious should we consider this problem?
>> Should I ask the Debian
>> security team (Debian do not accept new revisions,
>> just backports for
>> security fixes to their stable releases) to
>> backport this correction to the
>> current vzctl stable package?
>>
>> In the meantime I'll build this 4.9.4 for debian
>> unstable and also upload
>> to the openvz download directory. First testing
>> and then after a few days
>> to the wheezy and jessie stable targets.
>>
>> Regards,
>>
>> // Ola
>>
>>
>>
>> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov
>> <sergeyb at openvz.org <mailto:sergeyb at openvz.org>>
>> wrote:
>>
>> OpenVZ project has released a new vzctl update
>> for legacy OpenVZ.
>> Read below for more information. Everybody is
>> advised to upgrade.
>>
>> Changes
>> =======
>> * store VE layout to VE config on start
>> * store VE layout in VE config during create
>> and convert
>>
>> See full changelog here:
>> https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>>
>> Download
>> ========
>> http://wiki.openvz.org/Download/vzctl/4.9.4
>>
>>
>> Thanks
>> ======
>> OpenVZ project would like to thank the
>> RACK911LABS for discovering this
>> bug and
>> providing the attack scenario.
>>
>>
>> Bug reporting
>> =============
>> Please report all bugs found to
>> <https://bugs.openvz.org/>https://bugs.openvz.org/
>>
>>
>> Other sources of info on updates
>> ================================
>> See http://planet.openvz.org/ to view all the
>> news (including updates)
>> online.
>> There you can also find RSS/Atom feed links.
>>
>>
>> Regards,
>> OpenVZ team
>> _______________________________________________
>> Announce mailing list
>> Announce at openvz.org <mailto:Announce at openvz.org>
>> https://lists.openvz.org/mailman/listinfo/announce
>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information
>> Technology ----
>> / ola at inguza.com <mailto:ola at inguza.com>
>> Annebergsslingan 37 \
>> | opal at debian.org <mailto:opal at debian.org>
>> 654 65 KARLSTAD |
>> | http://inguza.com/ Mobile: +46
>> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
>> B1CF 0FE5 3DD9 /
>>
>> ---------------------------------------------------------------
>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information
>> Technology ----
>> / ola at inguza.com <mailto:ola at inguza.com>
>> Annebergsslingan 37 \
>> | opal at debian.org <mailto:opal at debian.org>
>> 654 65 KARLSTAD |
>> | http://inguza.com/ Mobile: +46
>> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
>> 0FE5 3DD9 /
>>
>> ---------------------------------------------------------------
>>
>>
>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> / <mailto:ola at inguza.com>ola at inguza.com <mailto:ola at inguza.com>
>> Annebergsslingan 37 \
>> | <mailto:opal at debian.org>opal at debian.org
>> <mailto:opal at debian.org> 654 65 KARLSTAD
>> |
>> | <http://inguza.com/>http://inguza.com/ Mobile:
>> +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> ---------------------------------------------------------------
>>
>
>
>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola at inguza.com <mailto:ola at inguza.com>
> Annebergsslingan 37 \
> | opal at debian.org <mailto:opal at debian.org> 654 65
> KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
More information about the Debian
mailing list