Debian kernel security updates.

[Buddha Bart]

I recently installed a fresh copy of 3.0r2 on a test machine. Being as old as it is, I know for a fact that it contains a recently announced kernel exploit. However, when I do a apt-get dist-upgrade and an apt-get upgrade, I'm left with the same kernel in the end. Yes security.debian.org is in my sources.list.

Is this normal behavior? Does apt treat the kernel differently than other packages?

I'm trying to move over from RH7.3, so I'm used to up2date. With up2date, you had to tweak a config file to get it to upgrade the kernel because defaultly it would leave it alone. Is there a similar configuration tweak I need to do in debian?

Also, it appears that the install kernel is an attempted "catch all/compiled in" kernel. As such I have next to nothing in /etc/modules. Is there a debian hardware detection tool that will build the modules list for me (like kudzu)?

Note: Please do not turn this into a thread about the merits of, or why I should be compiling my own kernel. My goal is to make as analagous a transition as possible from debian to redhat.

 

[cleverhandle]

Originally posted by: Buddha Bart
I recently installed a fresh copy of 3.0r2 on a test machine. Being as old as it is, I know for a fact that it contains a recently announced kernel exploit. However, when I do a apt-get dist-upgrade and an apt-get upgrade, I'm left with the same kernel in the end. Yes security.debian.org is in my sources.list.

You're talking about the mremap() bug, I assume? Yes, there is a Debian advisory for it, found here.

Is this normal behavior? Does apt treat the kernel differently than other packages?

I'm trying to move over from RH7.3, so I'm used to up2date. With up2date, you had to tweak a config file to get it to upgrade the kernel because defaultly it would leave it alone. Is there a similar configuration tweak I need to do in debian?

It's a different issue, I think. I haven't built a Debian machine up from scratch in a while, but I think the default "boot" kernel is it's own package distinct from the regular kernel series. It may not even be a "package" in the technical sense. Do an apt-cache search kernel-image to see the "standard" kernels. Those should be automatically updated in the case of security updates.

Also, it appears that the install kernel is an attempted "catch all/compiled in" kernel. As such I have next to nothing in /etc/modules. Is there a debian hardware detection tool that will build the modules list for me (like kudzu)?

You want discover - it's in the repos but not installed by default.

 

[Buddha Bart]

I think the default "boot" kernel is it's own package distinct from the regular kernel series. It may not even be a "package" in the technical sense.

Thank you! That explains it.

I did a apt-get install kernel-image-2.4.18-686 and lost support for my network card. Thats why I asked about the hardware detect. I'm gonna go try discover now. Thanks again.

 

[Buddha Bart]

Heheh... stuff like this.. you gotta love linux sometimes.

So I install discover, it runs, and says "pcnet32 detected, skipping (assumed to be in kernel)". No!!!

So I figure, ok, I'll just read the man page and figure out how to override that. Nope.. nothing about overriding. OK what happens when I run 'discover'.

Nothing. It just pauses a sec and returns you to the prompt. Now this would make sense perhaps if the man page says "creates a new /etc/modules file" or "pipes its output to a file in /whatever/path", but no.

discover... nothing
discover > blah.txt empty file
discover --enable-all nothing
discover --enable-all --format=%m nothing

what is this program doing!!

 

[cleverhandle]

No idea, sorry. Never used it. What if you just screw the cutesy automated stuff, and do a modprobe pcnet32? Does the module load correctly? If so, just put "pcnet32" in /etc/modules and be done with it.

Weird that it would think it's in the kernel if it's not, though. Are you definitely booting the new kernel? (I recall the switchover from "boot" to "standard" kernels being a bit fussy). The interface doesn't show up in ifconfig -a ?

 

[Buddha Bart]

Yeah I put pcnet32 in /etc/modules and it worked fine.

Weird that it would think it's in the kernel if it's not, though. Are you definitely booting the new kernel?

At the time I was not, because I needed the networking support to be able to apt-get discover.

I recall the switchover from "boot" to "standard" kernels being a bit fussy

Yeah I'm noticing that.

Now that I've installed kernel-image-2.4.18-1-686, there still is no security update. However, seeing as I just downloaded it last night, perhaps they'd already backported the fix to the package. This page: http://packages.debian.org/stable/base/kernel-image-2.4.18-686 seems to link to the wrong changelog. Also, it says at the top 2.4.18-686-5 whereas my uname -a reports 2.4.18-1-686. This is quite the mess.

What's the debian equivilant of rpm -qa?

 

[cleverhandle]

Originally posted by: Buddha Bart
Now that I've installed kernel-image-2.4.18-1-686, there still is no security update. However, seeing as I just downloaded it last night, perhaps they'd already backported the fix to the package.

Quite possibly. I didn't ask before, but I assume you've got a line in sources.list for the security updates, right?

This page: http://packages.debian.org/stable/base/kernel-image-2.4.18-686 seems to link to the wrong changelog. Also, it says at the top 2.4.18-686-5 whereas my uname -a reports 2.4.18-1-686. This is quite the mess.

Some of this is confusion from kernel package versioning. There are two very similar looking versions for the kernel packages - the first looks to be the upstream kernel release, something like 2.4.18-1. That's what your uname is going to report. The second is the Debian package version, something like 2.4.18-12.1. See the bottom of the security advisory I linked above for examples. But it certainly does appear, either by accident or design, that the packages page you linked refers to an older version.

What's the debian equivilant of rpm -qa?

dpkg -l. Its formatting is pretty crappy for long names, so I'd advise COLUMNS=100 dpkg -l. Pipe that through a grep on kernel-image, and you should have your kernel package info. If you see 2.4.18-12 in there somewhere, then you're up to date.

 

[Buddha Bart]

dpkg -l. Its formatting is pretty crappy for long names, so I'd advise COLUMNS=100 dpkg -l. Pipe that through a grep on kernel-image, and you should have your kernel package info. If you see 2.4.18-12 in there somewhere, then you're up to date.

Thank you again sir. I actually had just managed to dig this out of a mailing list post and combing through the man page 2 minutes ago, but I appreciate your reply. I owe you a beer.

 

[cleverhandle]

No problem. Did everything turn out to up-to-date after all?

 

[Buddha Bart]

Yep, when I did the list it was 2.4.18-12.1

Next up in my redhat to debian conversion experience is figuring out what to do in place of chkconfig, and where to look so that I don't have to keep bothering people in forums (debian.org doesnt seem to have anywhere near the quality documention as the redhat guides).

 

[Barnaby W. Füi]

#debian on freenode, and/or debian-users mailing list

What does chkconfig do?

 

[cleverhandle]

Originally posted by: Buddha Bart
Yep, when I did the list it was 2.4.18-12.1

Cool. While it always good to check, you'll find that Debian tends to "do the right thing" in the large majority of cases.

Next up in my redhat to debian conversion experience is figuring out what to do in place of chkconfig,...

There's update-rc.d, but it's meant more for package maintainers than as a convenient adminstrative tool. That may work for you, though. If you run across a simple text mode tool like RH's ntsysv, let me know.

...and where to look so that I don't have to keep bothering people in forums (debian.org doesnt seem to have anywhere near the quality documention as the redhat guides).

Yeah, docs are kind of lacking in some places - there was a recent flamefest about this on debian-user. On the plus side, you probably won't need docs for most tasks - just answer debconf's questions, and off you go. But some of the really Debian-specific stuff (packaging, menus, startup scripts) can be downright mystifying because Debian's way is completely different than anyone else's. Asking here, IRC, or the mailing lists is probably a better bet than scrounging for docs online for those things.

 

[drag]

Personally I like to build a custom kernel, even for debian. Using the debian package tools it's pretty easy and it automates everything, all you have figure out then is to use menuconfig and pick the half a billion options right. Right now my policy is "when in doubt make it a module". Nowadays I make most everything modules.

here are the docs from debian newbie dot com that concerne how to set up the kernel

They also have a few other nice things on that website.

Kudzu, this is the program created by redhat and used in it's anaconda stuff. Just run kudzu as root and it will detect hardware and set it up into a /etc/modutils/kudzu file. Then use update-modules command to update the configuration to your /etc/modules.conf. This is what I use, thanks to redhat.

Discover is another package.. I think knoppix uses it. I didn't like it as much as kudzu...

 

[Buddha Bart]

Originally posted by: drag
Personally I like to build a custom kernel, even for debian. Using the debian package tools it's pretty easy and it automates everything, all you have figure out then is to use menuconfig and pick the half a billion options right. Right now my policy is "when in doubt make it a module". Nowadays I make most everything modules.

here are the docs from debian newbie dot com that concerne how to set up the kernel
[/b]

Thanks but no thanks, not even slightly interested (see my first post).

Kudzu, this is the program created by redhat and used in it's anaconda stuff. Just run kudzu as root and it will detect hardware and set it up into a /etc/modutils/kudzu file. Then use update-modules command to update the configuration to your /etc/modules.conf. This is what I use, thanks to redhat.

Good idea, it hadn't ocured to me that kudzu would be available on debian just not used.

Discover is another package.. I think knoppix uses it. I didn't like it as much as kudzu...

Yea see one of my posts above for the fun I had with it.

 

[Buddha Bart]

Originally posted by: BingBongWongFooey
#debian on freenode, and/or debian-users mailing list

Yeah I tried asking this on #debian/freenode, but got no answers.

What does chkconfig do?

Manages what things get started and stopped at what runlevels. (basically all your init scripts).

 

[drag]

Well then have it your own way, I guess when I used Redhat I made my own kernels and don't think about it much, but just so you know using the debian tools you make it into a deb package that can be installed and uninstalled on your machine using dpkg and apt. For instance last night I installed the kernel I made on my machine into a freind's debian machine and it worked with no problems.

Anyways for runlevels you can look on the that newbiedoc.sourceforge.net website and it will give you a good break down on what tools are aviable and how to use them. Just skip the sections about "what is a runlevel" It's quite a bit more primitive then what's probably used in redhat.

 

[n0cmonkey]

kernel-image-2 2.4.16-1