Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Mike Gerber
Hi,

> Package        : linux-2.6
> Vulnerability  : several vulnerabilities
> Problem type   : local
> Debian-specific: no
> CVE Id(s)      : CVE-2007-6694 CVE-2008-0007 CVE-2008-1294 CVE-2008-1375
> [...]
> For the stable distribution (etch), this problem has been fixed in version
> 2.6.18.dfsg.1-18etch3.

Given a system with the package "linux-image-2.6.18-6-686" installed,
version "2.6.18.dfsg.1-18etch3" and:

 # uname -r
 2.6.18-6-686

How do I decide that the fixed kernel is actually booted? Other than by
uptime?

Cheers,
Mike


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Dominic Hargreaves-2
On Sat, May 03, 2008 at 10:57:38PM +0200, Mike Gerber wrote:

> Given a system with the package "linux-image-2.6.18-6-686" installed,
> version "2.6.18.dfsg.1-18etch3" and:
>
>  # uname -r
>  2.6.18-6-686
>
> How do I decide that the fixed kernel is actually booted? Other than by
> uptime?

cat /proc/version

will give you the full version of the booted kernel.

Cheers,
Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Peter Palfrader
On Sat, 03 May 2008, Dominic Hargreaves wrote:

> cat /proc/version
>
> will give you the full version of the booted kernel.

Apropos.  Is there a way to get that information from a vmlinuz file on
disk?  Without booting it, that is.

Peter


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Bernd Eckenfels
In article <[hidden email]> you wrote:
> Apropos.  Is there a way to get that information from a vmlinuz file on
> disk?  Without booting it, that is.

Interesting enough my (somewhat older) file command does only print "x86
boot sector", but I think some magic files supported it. Otherwise you can
use "strings vmlinux | fgrep 2."

I usually use the file name to describe it.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Peter Palfrader
On Mon, 05 May 2008, Bernd Eckenfels wrote:

> In article <[hidden email]> you wrote:
> > Apropos.  Is there a way to get that information from a vmlinuz file on
> > disk?  Without booting it, that is.
>
> Interesting enough my (somewhat older) file command does only print "x86
> boot sector", but I think some magic files supported it. Otherwise you can
> use "strings vmlinux | fgrep 2."
>
> I usually use the file name to describe it.

debian.org kernel packages don't however.  Which makes it not exactly
suiteable for a nagios check for "is the running kernel the one on the
fileystem".

Sure, strings | grep works, but that's quite .. ugly and at least gives
the impression of being fragile.

Peter


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Noah Meyerhans-3
On Mon, May 05, 2008 at 02:57:34AM +0200, Peter Palfrader wrote:

> On Mon, 05 May 2008, Bernd Eckenfels wrote:
>
> > In article <[hidden email]> you wrote:
> > > Apropos.  Is there a way to get that information from a vmlinuz file on
> > > disk?  Without booting it, that is.
> >
> > Interesting enough my (somewhat older) file command does only print "x86
> > boot sector", but I think some magic files supported it. Otherwise you can
> > use "strings vmlinux | fgrep 2."
> >
> > I usually use the file name to describe it.
>
> debian.org kernel packages don't however.  Which makes it not exactly
> suiteable for a nagios check for "is the running kernel the one on the
> fileystem".
I compare the ctime of the kernel image on the system with the machine's
uptime.  It's the machine's been rebooted since the kernel image
changed, we're up to date, otherwise we're still running an older
kernel.  The attached shell script shows how.  You should be able to do
this with a nagios check...

noah


stale-kernel.sh (570 bytes) Download Attachment
signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Stephen Gran
In reply to this post by Peter Palfrader
This one time, at band camp, Peter Palfrader said:
> debian.org kernel packages don't however.  Which makes it not exactly
> suiteable for a nagios check for "is the running kernel the one on the
> fileystem".

This one time, at band camp, Noah Meyerhans said:
> I compare the ctime of the kernel image on the system with the machine's
> uptime.  It's the machine's been rebooted since the kernel image
> changed, we're up to date, otherwise we're still running an older
> kernel.  The attached shell script shows how.  You should be able to do
> this with a nagios check...

I also do some rummaging around to figure out what the meta package is
currently depending on, so that I know what vesion Debian currently
considers newest, then compare that to /proc/version.  That only works
for etch and newer kernel images, though, so I think I'll fall back to
Noah's method for older machines.
--
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [hidden email] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Peter Palfrader
In reply to this post by Bernd Eckenfels
On Mon, 05 May 2008, Bernd Eckenfels wrote:

> In article <[hidden email]> you wrote:
> > Apropos.  Is there a way to get that information from a vmlinuz file on
> > disk?  Without booting it, that is.
>
> Interesting enough my (somewhat older) file command does only print "x86
> boot sector", but I think some magic files supported it. Otherwise you can
> use "strings vmlinux | fgrep 2."

This does not appear to work well on at least armel.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Peter Palfrader
On Mon, 05 May 2008, Peter Palfrader wrote:

> On Mon, 05 May 2008, Bernd Eckenfels wrote:
>
> > In article <[hidden email]> you wrote:
> > > Apropos.  Is there a way to get that information from a vmlinuz file on
> > > disk?  Without booting it, that is.
> >
> > Interesting enough my (somewhat older) file command does only print "x86
> > boot sector", but I think some magic files supported it. Otherwise you can
> > use "strings vmlinux | fgrep 2."
>
> This does not appear to work well on at least armel.

Or, more generally, when the kernel is compressed.
http://svn.noreply.org/svn/weaselutils/trunk/nagios-check-running-kernel
is what I delopyed on .debian.org so far.

Cheers, and thanks,
weasel


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities

Mike Gerber
In reply to this post by Stephen Gran
* Stephen Gran schrieb:
> I also do some rummaging around to figure out what the meta package is
> currently depending on, so that I know what vesion Debian currently
> considers newest, then compare that to /proc/version.  That only works
> for etch and newer kernel images, though, so I think I'll fall back to
> Noah's method for older machines.

I use a small script for Nagios checks that I give the supposed-to-be
booted kernel (e.g. 2.6.18-6-686). I'll change that to have the option
to check /proc/version instead of uname -r.

I'm more comfortable with changing the Nagios configuration for each
kernel update than by relying on some up-to-date APT cache to determine
the current kernel. But I guess that's a matter of taste.

Cheers,
Mike

signature.asc (196 bytes) Download Attachment