[Debian] [Announce] [Security] vzctl 4.9.4
Ola Lundqvist
ola at inguza.com
Thu Sep 3 11:31:59 PDT 2015
Hi Igor
It does not matter really. Both ways will do.
However I have a question. As I understand the config is changed at
creation or start. Should it be changed at upgrade time too to make sure
the next start is safe? Or is it changed before it is a security hazard?
/Ola
Sent from a phone
Den 3 sep 2015 12:37 skrev "Igor Bazhitov" <ibazhitov at odin.com>:
> Hi, Ola.
>
> There are 4 patches in the original fix - 2 of them making various
> preparations and the other 2 do the actual fix. Do you need them ported
> to vzctl-4.8 as is, or as one big cumulative patch?
>
> WBR, Igor Bazhitov.
>
> 01.09.2015 00:22, Ola Lundqvist writes:
> > Privet Kir and Igor
> >
> > Sources and patches here:
> > ftp://ftp.debian.org/debian/pool/main/v/vzctl/
> >
> > Source is named .orig.tar.gz
> > and the patches are either in .diff.gz or packaged in .debian.tar.gz
> >
> > I think we should at least backport 4.8 (current stable) and then maybe
> > oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip that.
> >
> > Thanks in advance
> >
> > // Ola
> >
> > On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com
> > <mailto:kir at odin.com>> wrote:
> >
> >
> >
> > On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
> >> I was. :-) Thanks!
> >>
> >> Will look into this shortly. Will also look into backporting the
> fix.
> >
> > Ola,
> >
> > I think Igor (in Cc) will be able to provide the fix backported,
> > just let us know which version do you have in Debian (and a link
> > to sources, as I guess you have some patches in there, too).
> >
> > Kir.
> >
> >
> >>
> >> // Ola
> >>
> >> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin <kir at openvz.org
> >> <mailto:kir at openvz.org>> wrote:
> >>
> >>
> >>
> >> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
> >>
> >> Hi
> >>
> >> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
> >>
> >> Hi again
> >>
> >> Also I can not find where to download the software
> >> (neither binaries nor
> >> sources). Is it only available in git?
> >>
> >> It is not so difficult to find sources.
> >> We have one git repo for openvz sources -
> >> src.openvz.org <http://src.openvz.org>.
> >> vzctl sources are here
> >> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
> >>
> >>
> >> Ola is probably asking about the source tarball. It's here:
> >>
> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
> >>
> >>
> >>
> >>
> >>
> >> Cheers
> >>
> >> // Ola
> >>
> >> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
> >> <<mailto:ola at inguza.com>ola at inguza.com
> >> <mailto:ola at inguza.com>> wrote:
> >>
> >> Hi Sergey
> >>
> >> How serious should we consider this problem?
> >> Should I ask the Debian
> >> security team (Debian do not accept new revisions,
> >> just backports for
> >> security fixes to their stable releases) to
> >> backport this correction to the
> >> current vzctl stable package?
> >>
> >> In the meantime I'll build this 4.9.4 for debian
> >> unstable and also upload
> >> to the openvz download directory. First testing
> >> and then after a few days
> >> to the wheezy and jessie stable targets.
> >>
> >> Regards,
> >>
> >> // Ola
> >>
> >>
> >>
> >> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov
> >> <sergeyb at openvz.org <mailto:sergeyb at openvz.org>>
> >> wrote:
> >>
> >> OpenVZ project has released a new vzctl update
> >> for legacy OpenVZ.
> >> Read below for more information. Everybody is
> >> advised to upgrade.
> >>
> >> Changes
> >> =======
> >> * store VE layout to VE config on start
> >> * store VE layout in VE config during create
> >> and convert
> >>
> >> See full changelog here:
> >>
> https://src.openvz.org/projects/OVZL/repos/vzctl/commits
> >>
> >> Download
> >> ========
> >> http://wiki.openvz.org/Download/vzctl/4.9.4
> >>
> >>
> >> Thanks
> >> ======
> >> OpenVZ project would like to thank the
> >> RACK911LABS for discovering this
> >> bug and
> >> providing the attack scenario.
> >>
> >>
> >> Bug reporting
> >> =============
> >> Please report all bugs found to
> >> <https://bugs.openvz.org/>
> https://bugs.openvz.org/
> >>
> >>
> >> Other sources of info on updates
> >> ================================
> >> See http://planet.openvz.org/ to view all the
> >> news (including updates)
> >> online.
> >> There you can also find RSS/Atom feed links.
> >>
> >>
> >> Regards,
> >> OpenVZ team
> >> _______________________________________________
> >> Announce mailing list
> >> Announce at openvz.org <mailto:Announce at openvz.org
> >
> >>
> https://lists.openvz.org/mailman/listinfo/announce
> >>
> >>
> >>
> >> --
> >> --- Inguza Technology AB --- MSc in Information
> >> Technology ----
> >> / ola at inguza.com <mailto:ola at inguza.com>
> >> Annebergsslingan 37 \
> >> | opal at debian.org <mailto:opal at debian.org>
> >> 654 65 KARLSTAD |
> >> | http://inguza.com/ Mobile: +46
> >> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
> >> B1CF 0FE5 3DD9 /
> >>
> >>
> ---------------------------------------------------------------
> >>
> >>
> >>
> >> --
> >> --- Inguza Technology AB --- MSc in Information
> >> Technology ----
> >> / ola at inguza.com <mailto:ola at inguza.com>
> >> Annebergsslingan 37 \
> >> | opal at debian.org <mailto:opal at debian.org>
> >> 654 65 KARLSTAD |
> >> | http://inguza.com/ Mobile: +46
> >> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
> >> 0FE5 3DD9 /
> >>
> >>
> ---------------------------------------------------------------
> >>
> >>
> >>
> >>
> >>
> >> --
> >> --- Inguza Technology AB --- MSc in Information Technology ----
> >> / <mailto:ola at inguza.com>ola at inguza.com <mailto:ola at inguza.com>
> >> Annebergsslingan 37 \
> >> | <mailto:opal at debian.org>opal at debian.org
> >> <mailto:opal at debian.org> 654 65 KARLSTAD
> >> |
> >> | <http://inguza.com/>http://inguza.com/ Mobile:
> >> +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
> >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> >> ---------------------------------------------------------------
> >>
> >
> >
> >
> >
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > / ola at inguza.com <mailto:ola at inguza.com>
> > Annebergsslingan 37 \
> > | opal at debian.org <mailto:opal at debian.org> 654 65
> > KARLSTAD |
> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> > ---------------------------------------------------------------
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20150903/ecb613f6/attachment-0001.html>
More information about the Debian
mailing list