<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 08/31/2015 02:22 PM, Ola Lundqvist
wrote:<br>
</div>
<blockquote
cite="mid:CABY6=0mrtiMF8xko5oZG3NRVb6sTyf5+ETEYg1wr3HYXMzJ2eQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">Privet Kir and Igor
<div><br>
</div>
<div>Sources and patches here:</div>
<div><a moz-do-not-send="true"
href="ftp://ftp.debian.org/debian/pool/main/v/vzctl/">ftp://ftp.debian.org/debian/pool/main/v/vzctl/</a><br>
</div>
<div><br>
</div>
<div>Source is named .orig.tar.gz</div>
<div>and the patches are either in .diff.gz or packaged in
.debian.tar.gz</div>
<div><br>
</div>
<div>I think we should at least backport 4.8 (current stable)
and then maybe oldstable 3.0.30. 3.0.24 is oldold stable so I
guess you can skip that.</div>
</div>
</blockquote>
<br>
As ploop support only appears in vzctl 3.1 so 3.0.x doesn't need to
be patched.<br>
<br>
Igor,<br>
<br>
Can you please port the secirity fix to Debian's vzctl 4.8 and
provide the patch(es) to Ola?<br>
<br>
Kir.<br>
<br>
<blockquote
cite="mid:CABY6=0mrtiMF8xko5oZG3NRVb6sTyf5+ETEYg1wr3HYXMzJ2eQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks in advance</div>
<div><br>
</div>
<div>// Ola</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Aug 31, 2015 at 11:17 PM, Kir
Kolyshkin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:kir@odin.com" target="_blank">kir@odin.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class=""> <br>
<br>
<div>On 08/31/2015 12:15 PM, Ola Lundqvist wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I was. :-) Thanks!
<div><br>
</div>
<div>Will look into this shortly. Will also look
into backporting the fix.<br>
</div>
</div>
</blockquote>
<br>
</span> Ola,<br>
<br>
I think Igor (in Cc) will be able to provide the fix
backported,<br>
just let us know which version do you have in Debian (and
a link<br>
to sources, as I guess you have some patches in there,
too).<span class="HOEnZb"><font color="#888888"><br>
<br>
Kir.</font></span>
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>// Ola</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Aug 31, 2015 at
8:47 PM, Kir Kolyshkin <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:kir@openvz.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:kir@openvz.org">kir@openvz.org</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span><br>
<br>
On 08/26/2015 01:26 AM, Sergey Bronnikov
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Hi<br>
<br>
On 23:19 Tue 25 Aug , Ola Lundqvist wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Hi again<br>
<br>
Also I can not find where to download
the software (neither binaries nor<br>
sources). Is it only available in git?<br>
</blockquote>
It is not so difficult to find sources.<br>
We have one git repo for openvz sources -<br>
<a moz-do-not-send="true"
href="http://src.openvz.org"
rel="noreferrer" target="_blank">src.openvz.org</a>.<br>
vzctl sources are here <a
moz-do-not-send="true"
href="https://src.openvz.org/projects/OVZL/repos/vzctl/browse"
rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://src.openvz.org/projects/OVZL/repos/vzctl/browse">https://src.openvz.org/projects/OVZL/repos/vzctl/browse</a></a><br>
</blockquote>
<br>
</span> Ola is probably asking about the
source tarball. It's here:<br>
<a moz-do-not-send="true"
href="http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2"
rel="noreferrer" target="_blank">http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2</a>
<div>
<div><br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> <br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> Cheers<br>
<br>
// Ola<br>
<br>
On Tue, Aug 25, 2015 at 11:15 PM, Ola
Lundqvist <<a
moz-do-not-send="true"
href="mailto:ola@inguza.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ola@inguza.com">ola@inguza.com</a></a>>
wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> Hi Sergey<br>
<br>
How serious should we consider this
problem? Should I ask the Debian<br>
security team (Debian do not accept
new revisions, just backports for<br>
security fixes to their stable
releases) to backport this
correction to the<br>
current vzctl stable package?<br>
<br>
In the meantime I'll build this
4.9.4 for debian unstable and also
upload<br>
to the openvz download directory.
First testing and then after a few
days<br>
to the wheezy and jessie stable
targets.<br>
<br>
Regards,<br>
<br>
// Ola<br>
<br>
<br>
<br>
On Tue, Aug 25, 2015 at 2:32 PM,
Sergey Bronnikov <<a
moz-do-not-send="true"
href="mailto:sergeyb@openvz.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:sergeyb@openvz.org">sergeyb@openvz.org</a></a>><br>
wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> OpenVZ
project has released a new vzctl
update for legacy OpenVZ.<br>
Read below for more information.
Everybody is advised to upgrade.<br>
<br>
Changes<br>
=======<br>
* store VE layout to VE config on
start<br>
* store VE layout in VE config
during create and convert<br>
<br>
See full changelog here:<br>
<a moz-do-not-send="true"
href="https://src.openvz.org/projects/OVZL/repos/vzctl/commits"
rel="noreferrer" target="_blank">https://src.openvz.org/projects/OVZL/repos/vzctl/commits</a><br>
<br>
Download<br>
========<br>
<a moz-do-not-send="true"
href="http://wiki.openvz.org/Download/vzctl/4.9.4"
rel="noreferrer" target="_blank">http://wiki.openvz.org/Download/vzctl/4.9.4</a><br>
<br>
<br>
Thanks<br>
======<br>
OpenVZ project would like to thank
the RACK911LABS for discovering
this<br>
bug and<br>
providing the attack scenario.<br>
<br>
<br>
Bug reporting<br>
=============<br>
Please report all bugs found to <a
moz-do-not-send="true"
href="https://bugs.openvz.org/"
target="_blank"><a class="moz-txt-link-freetext" href="https://bugs.openvz.org/">https://bugs.openvz.org/</a></a><br>
<br>
<br>
Other sources of info on updates<br>
================================<br>
See <a moz-do-not-send="true"
href="http://planet.openvz.org/"
rel="noreferrer" target="_blank">http://planet.openvz.org/</a>
to view all the news (including
updates)<br>
online.<br>
There you can also find RSS/Atom
feed links.<br>
<br>
<br>
Regards,<br>
OpenVZ team<br>
_______________________________________________<br>
Announce mailing list<br>
<a moz-do-not-send="true"
href="mailto:Announce@openvz.org"
target="_blank">Announce@openvz.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openvz.org/mailman/listinfo/announce"
rel="noreferrer" target="_blank">https://lists.openvz.org/mailman/listinfo/announce</a><br>
<br>
</blockquote>
<br>
<br>
--<br>
--- Inguza Technology AB --- MSc
in Information Technology ----<br>
/ <a moz-do-not-send="true"
href="mailto:ola@inguza.com"
target="_blank">ola@inguza.com</a>
Annebergsslingan
37 \<br>
| <a moz-do-not-send="true"
href="mailto:opal@debian.org"
target="_blank">opal@debian.org</a>
654 65 KARLSTAD
|<br>
| <a moz-do-not-send="true"
href="http://inguza.com/"
rel="noreferrer" target="_blank">http://inguza.com/</a>
Mobile: <a
moz-do-not-send="true"
href="tel:%2B46%20%280%2970-332%201551"
value="+46703321551"
target="_blank">+46 (0)70-332 1551</a>
|<br>
\ gpg/f.p.: 7090 A92B 18FE 7994
0C36 4FE4 18A1 B1CF 0FE5 3DD9 /<br>
---------------------------------------------------------------<br>
<br>
<br>
</blockquote>
<br>
-- <br>
--- Inguza Technology AB --- MSc in
Information Technology ----<br>
/ <a moz-do-not-send="true"
href="mailto:ola@inguza.com"
target="_blank">ola@inguza.com</a>
Annebergsslingan 37
\<br>
| <a moz-do-not-send="true"
href="mailto:opal@debian.org"
target="_blank">opal@debian.org</a>
654 65 KARLSTAD
|<br>
| <a moz-do-not-send="true"
href="http://inguza.com/"
rel="noreferrer" target="_blank">http://inguza.com/</a>
Mobile: <a
moz-do-not-send="true"
href="tel:%2B46%20%280%2970-332%201551"
value="+46703321551" target="_blank">+46
(0)70-332 1551</a> |<br>
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36
4FE4 18A1 B1CF 0FE5 3DD9 /<br>
---------------------------------------------------------------<br>
</blockquote>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>
<div dir="ltr">
<div>
<div><font face="courier new, monospace"
size="1"> --- Inguza Technology AB ---
MSc in Information Technology ----</font></div>
<div><font face="courier new, monospace"
size="1">/ <a moz-do-not-send="true"
href="mailto:ola@inguza.com"
target="_blank">ola@inguza.com</a>
Annebergsslingan 37
\</font></div>
<div><font face="courier new, monospace"
size="1">| <a moz-do-not-send="true"
href="mailto:opal@debian.org"
target="_blank">opal@debian.org</a>
654 65 KARLSTAD
|</font></div>
<div><font face="courier new, monospace"
size="1">| <a moz-do-not-send="true"
href="http://inguza.com/"
target="_blank">http://inguza.com/</a>
Mobile: <a
moz-do-not-send="true"
href="tel:%2B46%20%280%2970-332%201551"
value="+46703321551" target="_blank">+46
(0)70-332 1551</a> |</font></div>
<div><font face="courier new, monospace"
size="1">\ gpg/f.p.: 7090 A92B 18FE
7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /</font></div>
<div><font face="courier new, monospace"
size="1"> ---------------------------------------------------------------</font></div>
</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div><font face="courier new, monospace" size="1"> ---
Inguza Technology AB --- MSc in Information Technology
----</font></div>
<div><font face="courier new, monospace" size="1">/ <a
moz-do-not-send="true" href="mailto:ola@inguza.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ola@inguza.com">ola@inguza.com</a></a>
Annebergsslingan 37 \</font></div>
<div><font face="courier new, monospace" size="1">| <a
moz-do-not-send="true" href="mailto:opal@debian.org"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:opal@debian.org">opal@debian.org</a></a>
654 65 KARLSTAD |</font></div>
<div><font face="courier new, monospace" size="1">| <a
moz-do-not-send="true" href="http://inguza.com/"
target="_blank"><a class="moz-txt-link-freetext" href="http://inguza.com/">http://inguza.com/</a></a>
Mobile: +46 (0)70-332 1551 |</font></div>
<div><font face="courier new, monospace" size="1">\
gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
0FE5 3DD9 /</font></div>
<div><font face="courier new, monospace" size="1"> ---------------------------------------------------------------</font></div>
</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>