How to determine what's changed in new kernel?
Todd Denniston
Todd.Denniston at ssa.crane.navy.mil
Thu Jul 24 21:16:43 UTC 2008
Michael Hannon wrote, On 07/24/2008 04:19 PM:
<SNIP>
> rpm -q --changelog kernel-2.6.25.10-86.fc9.i686
>
> This gives a lot of output, as:
>
> * Mon Jul 07 2008 Chuck Ebbert <cebbert at redhat.com> 2.6.25.9-86
> - Fix USB interrupt handling with shared interrupts.
>
> * Fri Jul 04 2008 John W. Linville <linville at redhat.com> 2.6.25.9-85
> - Upstream wireless fixes from 2008-07-02
> (http://marc.info/?l=linux-netdev&m=121503163124089&w=2)
> - Apply Stefan Becker's fix for bad hunk of wireless build fixups for 2.6.25
> (https://bugzilla.redhat.com/show_bug.cgi?id=453390#c36)
> .
> .
> .
> * Fri Oct 12 2007 Dave Jones <davej at redhat.com>
> - 2.6.23-git2
>
> * Fri Oct 12 2007 Dave Jones <davej at redhat.com>
> - Start F9 branch.
>
> Clearly, not all of these changes apply to the transition
> from 2.6.25.9-76 to 2.6.25.10-86.
True, but the way I read these is:
A) find the entry with your old version (2.6.25.9-76) next to it
B) read everything above that entry.
> This makes it hard to assess the significance of that transition.
>
Security fixes are OFTEN (not always) accompanied by the words "security" or
"CVE-", but the only way to know if the fedora folks definitely think it is a
security fix is to look for the [SECURITY] marker on "fedora-package-announce"
as Michael indicated.
of course I also like lwn:
http://lwn.net/Security/
http://lwn.net/Alerts/Fedora/
> Is there some place I can find a succinct summary and evaluation
> of the changes to the kernel?
<SNIP>
You already have, the change log. Anything else is verbose.
And a more succinct summary as to a release being for security is looking for
the markers Michael indicated.
Of course in the past I have seen kernels put out that happens to fix a
security problem and yet it is not marked as a security release.
Also to have a _summary_ of what the IA security folks have been[1] thinking
about you want to look at:
http://cve.mitre.org/
going to the following and putting "linux kernel" in the keyword search, and
setting the "Search start date:" year field to 2008 is kind of interesting.
http://nvd.nist.gov/nvd.cfm?advancedsearch
<bad humor>
Man! any monkey can make these security decisions. :P
</bad humor>
[1] specifics of a cve is usually not made public until the experts have
looked at it for a while.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
More information about the users
mailing list