[Debian] [Announce] [Security] vzctl 4.9.4
Kir Kolyshkin
kir at openvz.org
Thu Sep 3 11:28:43 PDT 2015
On 09/03/2015 03:36 AM, Igor Bazhitov wrote:
> Hi, Ola.
>
> There are 4 patches in the original fix - 2 of them making various
> preparations and the other 2 do the actual fix. Do you need them ported
> to vzctl-4.8 as is, or as one big cumulative patch?
Up to Ola really, but I guess cumulative patch is fine.
>
> WBR, Igor Bazhitov.
>
> 01.09.2015 00:22, Ola Lundqvist writes:
>> Privet Kir and Igor
>>
>> Sources and patches here:
>> ftp://ftp.debian.org/debian/pool/main/v/vzctl/
>>
>> Source is named .orig.tar.gz
>> and the patches are either in .diff.gz or packaged in .debian.tar.gz
>>
>> I think we should at least backport 4.8 (current stable) and then maybe
>> oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip that.
>>
>> Thanks in advance
>>
>> // Ola
>>
>> On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com
>> <mailto:kir at odin.com>> wrote:
>>
>>
>>
>> On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
>>> I was. :-) Thanks!
>>>
>>> Will look into this shortly. Will also look into backporting the fix.
>> Ola,
>>
>> I think Igor (in Cc) will be able to provide the fix backported,
>> just let us know which version do you have in Debian (and a link
>> to sources, as I guess you have some patches in there, too).
>>
>> Kir.
>>
>>
>>> // Ola
>>>
>>> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin <kir at openvz.org
>>> <mailto:kir at openvz.org>> wrote:
>>>
>>>
>>>
>>> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>>>
>>> Hi
>>>
>>> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>>>
>>> Hi again
>>>
>>> Also I can not find where to download the software
>>> (neither binaries nor
>>> sources). Is it only available in git?
>>>
>>> It is not so difficult to find sources.
>>> We have one git repo for openvz sources -
>>> src.openvz.org <http://src.openvz.org>.
>>> vzctl sources are here
>>> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>>>
>>>
>>> Ola is probably asking about the source tarball. It's here:
>>> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>>>
>>>
>>>
>>>
>>>
>>> Cheers
>>>
>>> // Ola
>>>
>>> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
>>> <<mailto:ola at inguza.com>ola at inguza.com
>>> <mailto:ola at inguza.com>> wrote:
>>>
>>> Hi Sergey
>>>
>>> How serious should we consider this problem?
>>> Should I ask the Debian
>>> security team (Debian do not accept new revisions,
>>> just backports for
>>> security fixes to their stable releases) to
>>> backport this correction to the
>>> current vzctl stable package?
>>>
>>> In the meantime I'll build this 4.9.4 for debian
>>> unstable and also upload
>>> to the openvz download directory. First testing
>>> and then after a few days
>>> to the wheezy and jessie stable targets.
>>>
>>> Regards,
>>>
>>> // Ola
>>>
>>>
>>>
>>> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov
>>> <sergeyb at openvz.org <mailto:sergeyb at openvz.org>>
>>> wrote:
>>>
>>> OpenVZ project has released a new vzctl update
>>> for legacy OpenVZ.
>>> Read below for more information. Everybody is
>>> advised to upgrade.
>>>
>>> Changes
>>> =======
>>> * store VE layout to VE config on start
>>> * store VE layout in VE config during create
>>> and convert
>>>
>>> See full changelog here:
>>> https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>>>
>>> Download
>>> ========
>>> http://wiki.openvz.org/Download/vzctl/4.9.4
>>>
>>>
>>> Thanks
>>> ======
>>> OpenVZ project would like to thank the
>>> RACK911LABS for discovering this
>>> bug and
>>> providing the attack scenario.
>>>
>>>
>>> Bug reporting
>>> =============
>>> Please report all bugs found to
>>> <https://bugs.openvz.org/>https://bugs.openvz.org/
>>>
>>>
>>> Other sources of info on updates
>>> ================================
>>> See http://planet.openvz.org/ to view all the
>>> news (including updates)
>>> online.
>>> There you can also find RSS/Atom feed links.
>>>
>>>
>>> Regards,
>>> OpenVZ team
>>> _______________________________________________
>>> Announce mailing list
>>> Announce at openvz.org <mailto:Announce at openvz.org>
>>> https://lists.openvz.org/mailman/listinfo/announce
>>>
>>>
>>>
>>> --
>>> --- Inguza Technology AB --- MSc in Information
>>> Technology ----
>>> / ola at inguza.com <mailto:ola at inguza.com>
>>> Annebergsslingan 37 \
>>> | opal at debian.org <mailto:opal at debian.org>
>>> 654 65 KARLSTAD |
>>> | http://inguza.com/ Mobile: +46
>>> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
>>> B1CF 0FE5 3DD9 /
>>>
>>> ---------------------------------------------------------------
>>>
>>>
>>>
>>> --
>>> --- Inguza Technology AB --- MSc in Information
>>> Technology ----
>>> / ola at inguza.com <mailto:ola at inguza.com>
>>> Annebergsslingan 37 \
>>> | opal at debian.org <mailto:opal at debian.org>
>>> 654 65 KARLSTAD |
>>> | http://inguza.com/ Mobile: +46
>>> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
>>> 0FE5 3DD9 /
>>>
>>> ---------------------------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>> --
>>> --- Inguza Technology AB --- MSc in Information Technology ----
>>> / <mailto:ola at inguza.com>ola at inguza.com <mailto:ola at inguza.com>
>>> Annebergsslingan 37 \
>>> | <mailto:opal at debian.org>opal at debian.org
>>> <mailto:opal at debian.org> 654 65 KARLSTAD
>>> |
>>> | <http://inguza.com/>http://inguza.com/ Mobile:
>>> +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
>>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>>> ---------------------------------------------------------------
>>>
>>
>>
>>
>> --
>> --- Inguza Technology AB --- MSc in Information Technology ----
>> / ola at inguza.com <mailto:ola at inguza.com>
>> Annebergsslingan 37 \
>> | opal at debian.org <mailto:opal at debian.org> 654 65
>> KARLSTAD |
>> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
>> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> ---------------------------------------------------------------
>>
More information about the Debian
mailing list