[Techtalk] kernel security patches
Mary
mary-linuxchix at puzzling.org
Wed Mar 17 08:18:38 EST 2004
On Tue, Mar 16, 2004, Carla Schroder wrote:
> I'm so confused. :) And feeling like a bit of a dunce, after all these
> years of using Linux. How do distributions handle applying kernel
> security patches? Like Debian and Red Hat? None of my machines have
> kernel sources. I use up2date on Red Hat boxes, and of course have the
> usual security sources in my Debain sources.list. So are my kernels
> getting updated or not?
I believe they are updated. Certainly on Red Hat 8 and 9, my default
up2date settings used to download new kernels. I'd get a mail via the
redhat watch list (or maybe the announce list?) and shortly after a new
kernel would appear in up2date and on the errata section of the Red hat
site. The watch list is at
https://www.redhat.com/mailman/listinfo/redhat-watch-list (see also
http://www.redhat.com/mailman/listinfo ).
On Debian, it depends. When security fixes occur, Debian patches their
stable 2.4 kernel (2.4.18) and releases a new version and mails
debian-security-announce. I suspect people running 2.4.18 then get
updated when they run dist-upgrade. I'm not sure about their stable 2.2
kernel, but since I'm not running it, I'm not paying attention to the
mails. You could look at the security announce list's archives to check:
http://lists.debian.org/debian-security-announce/
As for newer kernels (in testing and unstable), I think Debian tends to
wait for the kernel developers to release a new minor version number
fixing the problem and then you can install that. Debian's kernel
installs *do not* by default upgrade by even minor version numbers
though (ie, if you have kernel-image-2.4.20-686 installed, you won't
upgrade automatically to kernel-image-2.4.21-686).
To make this upgrade happen, you have to install the
kernel-image-2.4-ARCH (where arch is k7, 686 etc...) or
kernel-image-2.6-ARCH virtual package, which aren't part of the base
install. This package will depend on the latest version of the kernel,
thus making kernel updates happen when new minor versions are applied.
(I'm wary of this, because I have to recompile the Nvidia drivers every
time I upgrade, but for most people running standard modules, it should
'just work'.)
To check for sure, check your RPM and Debian package versions against
the numbers quoted in various announce mails on those lists, I guess.
-Mary
More information about the Techtalk
mailing list