--- /dev/null
+kernel-2.6-cn
+~~~~~~~~~~~~~
+
+Ovo je virtualni paket koji instalira odgovarajucu okolinu za CARNet
+Debian kernel izgradjen iz standardnog Debian Etchnhalf kernela, ali sa
+ExecShield i Layer 7 netfilterom. Takodjer, vise se ne koristi initrd vec
+initramfs tehnika, odnosno ne koristi se vise ni LILO vec GRUB kao glavni
+loader za Linux kernel.
+
+Vise o Etchnhalf Debian izdanju mozete procitati na:
+
+ http://www.debian.org/releases/etch/etchnhalf
+
+ExecShield je dodatni nivo zastite cija je glavna duznost onemoguciti
+izvrsavanje koda sa stranica koje su oznacene tako:
+
+ http://en.wikipedia.org/wiki/Exec_Shield
+
+Sam patch je preuzet iz Fedora CVS razvojnog stabla:
+
+ http://cvs.fedora.redhat.com/viewvc/rpms/kernel/F-9/linux-2.6-execshield.patch
+
+Dodatak je i Layer 7 Netfilter modul koji omogucava matchiranje odredjenih
+aplikativnih protokola sa boljom ili losijom pouzdanoscu. Stranica
+projekta je:
+
+ http://l7-filter.sourceforge.net/
+
+Popis podrzanog hardvera:
+-------------------------
+Memorija: do 64GB (bigmem odnosno PAE podrska)
+
+Procesori: IA32 (pocevsi od PIII procesora), x86_64 ukljucno sa EM64T
+ procesorima PIII i visi (ali ne IA-64) u SMP i UP nacinu rada
+
+Ploce: sve standardne PC ploce za IA32 ili x86_64 arhitekturu
+
+IDE kontroleri: AMD AMD74xx, CMD64x, Highpoint HPT366, Intel PIIX/ICH, IT821x,
+ Promise PDC202xx, ServerWorks, Silicon Image, SIS513, VIA82Cxxx,
+ genericki PCI IDE, ITE 821x, Pacific Digital Corporation ADMA,
+ Serverworks OSB4/CSB5/CSB6, SiI, SiS, VIA, Marvell
+
+SCSI i SAS kontroleri: 3ware 9000, Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec
+ Advanced Raid Products, HP NetRAID-4M, IBM ServeRAID, ICP SCSI,
+ Adaptec AIC77xx/78xx/790x/94xx, HP Controller CCISS SA5xxx/SA6xxx,
+ Adaptec I2O, IBM Power RAID, IBM ServeRAID, Emulex LightPulse Fibre
+ Channel, LSI Logic MegaRAID, Fusion MPT, Qlogic ISP (QLA
+ 1x80/1x160), QLogic Fibre Channel, NCR/Symbios/LSI 8xx/1010,
+ FlashPoint, Marvell
+
+mrezne kartice: 3Com 3c59x/3c9xx, RealTek RTL-8139, Broadcom NetXtreme II
+ BCM5706/5708, Intel PRO/100, NE2000, PCNet32/PCnetPCI, RealTek
+ RTL-8169, SiS sis190, SiS 900, SysKonnect, Digital 21x4x Tulip,
+ 3Com Typhoon (3C990, 3CR990, itd), VIA Rhine, VIA Velocity, QLogic
+ QLA3xxx, Marvell Yukon 2/SysKonnect, Attansic L1
+
+SATA kontroleri: AHCI, Marvell, nVidia, Promise ATA TX2/TX4/TX4000, Pacific
+ Digital Corporation QStor, Silicon Image, Silicon Image 3124/3132,
+ Silicon Integrated Systems, K2, Promise, ULi, VIA, Vitesse VSC7174,
+ Initio 162x
+
+ostalo: IPv4 i IPv6 Netfilter moduli, QoS pravila, raznorazni
+ filesistemi (NFSv3 client i server, XFS, Ext2/3, Minix), VLAN
+ 802.1q, bridge 802.1d, USB EHCI/UHCI/OHCI, InfiniBand, SoftRAID
+ (append, MD 0/1/4/5/6), LVM2, IPMI, i6300ESB watchdog, i8xx/Intel TCO
+ watchdog, DeviceMapper, IEEE 1394 FireWire, KVM Intel/AMD, SATA/SAS
+ hubovi/ekspanderi itd.
+
+Datoteke koje se backupiraju:
+-----------------------------
+/etc/lilo.conf -> /var/backups
+/etc/sysctl.conf -> /var/backups
+//etc/kernel-img.conf -> /var/backups
+
+Datoteke koje se mijenjaju uvjetno ili bezuvjetno:
+--------------------------------------------------
+/etc/lilo.conf -> gasi se LILO (lilo.conf -> lilo.conf.old)
+/etc/kernel-img.conf -> podesava se (aktivira initrd, koristi GRUB)
+/boot/grub -> instalira se GRUB po potrebi
+/boot/grub/menu.lst -> generira se GRUB konfiguracija
+/etc/mdadm/mdadm.conf -> stvara se Linux MD konfiguracija
+/etc/group -> brise se grupa 99 proc
+/etc/default/oidentd -> Oidentd rekonfiguracija, micanje iz grupe proc
+/etc/sysctl.conf -> sigurnosne i ine kernel postavke
+/etc/security/limits.conf -> onemogucavanje core po korisniku
+/etc/pam.d/login -> omogucavanje pam limits konfiguracije za telnet
+/etc/pam.d/ssh -> omogucavanje pam limits konfiguracije za ssh
+/boot/vmlinuz /boot/vmlinuz.old /boot/vmlinuz.old2 /boot/vmlinuz.plain
+ /vmlinuz /vmlinuz.old /boot/vmlinuz.plain -> eliminacija starih i
+ zaostalih symlinkova
+
+ -- Dinko Korunic <kreator@carnet.hr> Fri, 13 Feb 2009 15:14:11 +0100
--- /dev/null
+kernel-2.6-cn (3:2.6.24-1) stable; urgency=high
+
+ * paket postaje virtualni paket koji ovisi o posebno gradjenom CARNet Debian
+ kernelu (linux-image-2.6.24-etchnhalf.1-686-bigmem) koji je deriviran iz
+ standardnog Debian kernela, ali su dodani ExecShield patchevi kao i
+ Netfilter Layer 7 patchevi
+ * omogucen TCP MD5 Signature (RFC 2385)
+ * postavljen TCP Cubic kao defaultni TCP congestion algoritam
+ * prelazak na novi Epoch
+
+ -- Dinko Korunic <kreator@carnet.hr> Fri, 13 Feb 2009 15:05:21 +0100
+
+kernel-2.6-cn (2:2.6.27.10-1) stable; urgency=high
+
+ * novi upstream kernel: 2.6.27.10 (niz bitnih sigurnosnih popravaka naspram
+ 2.6.26.3)
+ * omogucen TCP MD5 Signature (RFC 2385)
+ * pociscene nepotrebne opcije u LILO append parametru
+ * omoguceni x86 PAT registri
+ * povratak na SEGMEXEC zbog sporosti na Intel P4 procesorima (stariji
+ posluzitelji)
+ * omogucen Ext4 datotecni sustav
+
+ -- Dinko Korunic <kreator@carnet.hr> Sat, 27 Dec 2008 13:24:12 +0100
+
+kernel-2.6-cn (2:2.6.26.3-1) stable; urgency=high
+
+ * novi upstream kernel: 2.6.26.3 (niz bitnih sigurnosnih popravaka naspram
+ 2.6.24.7)
+ * novi upstream patch: Grsecurity 2.1.12
+ * novi upstream patch: Layer7 2.20
+ * ciscenje nepotrebnih kernel postavki iz sysctl (kernel.rtsig-max,
+ net.ipv4.tcp_syncookies)
+ * nove sysctl postavke za TCP poboljsanja (net.core.rmem_default,
+ net.core.wmem_default kao i net.ipv4.tcp_congestion_control) te sigurnost
+ (vm.mmap_min_addr, kernel.maps_protect)
+ * 4K stacks
+ * par novih drivera (Marvel SATA/SAS, FlashPoint, SFF, SAS/SATA
+ hubovi/ekspanderi, SoftRAID 4/5/6)
+ * LILO konfiguracija sada sadrzi i plainold, prethodni non-Grsecurity kernel
+ * popravljen bug u initrd init skripti (import skripte iz Etcha), te
+ nadogradjeni svi binaryji koji se koriste unutar initrd preslike
+
+ -- Dinko Korunic <kreator@carnet.hr> Mon, 8 Sep 2008 18:52:36 +0200
+
+kernel-2.6-cn (2:2.6.24.7-2) stable; urgency=low
+
+ * postinst za oidentd servis koristi oident:oident te reverta prethodne
+ promjene ako je potrebno, s obzirom da je to u Etchu default
+
+ -- Dinko Korunic <kreator@carnet.hr> Wed, 18 Jun 2008 12:54:08 +0200
+
+kernel-2.6-cn (2:2.6.24.7-1) stable; urgency=high
+
+ * novi upstream kernel: 2.6.24.7 (bitni sigurnosni popravci od 2.6.24.2:
+ CVE-2008-1669, CVE-2008-1375, CVE-2008-1675)
+ * opet je omogucen cijeli Grsecurity, te je upaljen i UDEREF
+ * cfq elevator je default (zbog serverske namjene)
+ * conflict sa libc6-i686 zbog mogucih OOPS-anja i rusenja servisa (problem
+ sa SYSENTER)
+ * LILO conf koristi memtest86+ (ako je prisutan), a ne obsolete memtest86
+ * ugasena mprotect zastita zbog kolizija sa Debian bibliotekama (gmp) i
+ Sophos Sweep AV
+
+ -- Dinko Korunic <kreator@carnet.hr> Thu, 22 May 2008 16:34:02 +0200
+
+kernel-2.6-cn (2:2.6.24.2-2) stable; urgency=low
+
+ * fix za postrm kernel-2.4-cn i kernel-cn
+ * cfq elevator je sad default (zbog serverske namjene)
+ * uljepsan ispis prilikom instalacije/deinstalacije paketa
+
+ -- Dinko Korunic <kreator@carnet.hr> Tue, 26 Feb 2008 17:49:55 +0100
+
+kernel-2.6-cn (2:2.6.24.2-1) stable; urgency=high
+
+ * novi upstream kernel: 2.6.24.2
+ * novi upstream PaX patch: pax-linux-2.6.24.1-test12.patch
+ * fix za: CVE-2008-0009, CVE-2008-0010 te CVE-2008-0600
+
+ -- Dinko Korunic <kreator@carnet.hr> Mon, 11 Feb 2008 17:23:02 +0100
+
+kernel-2.6-cn (2:2.6.24-1) stable; urgency=high
+
+ * novi upstream kernel: 2.6.24
+ * Grsecurity patch za 2.6.23.14 i dalje uzrokuje rusenje, a onaj za
+ 2.6.24 ne postoji -- fallback na cisti PaX
+ (pax-linux-2.6.24-test9.patch)
+ * izbacivanje SATA-generic layera za PATA uredjaje i fallback na cisti
+ nativni PATA layer (generic IDE uredjaji)
+
+ -- Dinko Korunic <kreator@carnet.hr> Tue, 29 Jan 2008 18:53:47 +0100
+
+kernel-2.6-cn (2:2.6.23.14-2) stable; urgency=high
+
+ * rebuild zbog sluzbenog Grsecurity patcha za 2.6.23.14
+
+ -- Dinko Korunic <kreator@carnet.hr> Sat, 26 Jan 2008 12:52:35 +0100
+
+kernel-2.6-cn (2:2.6.23.14-1) stable; urgency=high
+
+ * novi upstream source -- kernel 2.6.23.14, ispravljen CVE-2008-0001
+ * nova PCI lista za module (pcimodules)
+ * update dokumentacije (README.CARNet)
+ * podrska za nove uredjaje:
+ * mrezne kartice: Marvell Yukon 2/SysKonnect, Attansic L1
+ * SATA kontroleri: Initio 162x
+ * ostalo: IEEE 1394 FireWire stack, KVM Intel/AMD
+
+ -- Dinko Korunic <kreator@carnet.hr> Fri, 18 Jan 2008 20:42:36 +0100
+
+kernel-2.6-cn (2:2.6.22.9-1) stable; urgency=low
+
+ * novi upstream source -- kernel 2.6.22.9, grsecurity 2.1.11, layer7 2.13
+ * nova PCI lista za module (pcimodules)
+ * update dokumentacije (README.CARNet)
+ * izbacen src za initrd, nepotreban je sistemcima
+ * koristimo irqbalance userspace servis umjesto zastarjelog u kernelu
+
+ -- Dinko Korunic <kreator@carnet.hr> Wed, 17 Oct 2007 17:20:24 +0200
+
+kernel-2.6-cn (2:2.6.22.6-1) stable; urgency=low
+
+ * update dokumentacije (README.CARNet)
+ * novi upstream source -- kernel 2.6.22.6 te grsecurity 2.1.11
+ * koristen gcc4 za izgradnju
+ * nova PCI lista za module (pcimodules)
+
+ -- Dinko Korunic <kreator@carnet.hr> Sun, 23 Sep 2007 22:52:56 +0200
+
+kernel-2.6-cn (2:2.6.20.6-1) stable; urgency=low
+
+ * 8-CPU podrska (npr. SMP quad-core Xeon)
+ * HIGHMEM64G podrska (>= 4GB RAM)
+ * IPsec podrska (transport, tunnel, BEET; AH, ESP, IPComp) za IPv4 i IPv6
+ * podrska za QLA iSCSI
+ * Marvell PATA driver
+ * multipath podrska (MD i DM)
+ * VIA Velocity podrska, QLA3xxx podrska
+ * watchdog podrska za i6300ESB, i8xx/Intel TCO
+ * HID podrska, USB serial, USB monitor
+ * ugasen ekstenzivni Grsecurity logging (problem spinlock OOPS)
+ * release bez Layer7 podrske (nema svjezeg patcha za 2.6.20)
+ * update dokumentacije (README.CARNet)
+
+ -- Dinko Korunic <kreator@carnet.hr> Thu, 12 Apr 2007 00:22:35 +0200
+
+kernel-2.6-cn (2:2.6.19.3-2) stable; urgency=low
+
+ * dodani QLA i Emulex FC driveri
+ * dependancy na svjezi LILO, modutils, module-init-tools, itd.
+ * promijenjena procedura za detekciju boot uredjaja (LILO)
+ * update dokumentacije (README.CARNet)
+
+ -- Dinko Korunic <kreator@carnet.hr> Tue, 20 Feb 2007 21:42:57 +0100
+
+kernel-2.6-cn (2:2.6.19.3-1) stable; urgency=high
+
+ * novi kernel source [2.6.19.3]
+ * novi Grsecurity patch [2.1.10] koji popravlja PaX expand_stack()
+ ranjivost
+ * nadogradjena pcilist uredjaja za automatsku HW detekciju
+
+ -- Dinko Korunic <kreator@carnet.hr> Wed, 7 Feb 2007 15:15:06 +0100
+
+kernel-2.6-cn (2:2.6.18.2-1) stable; urgency=high
+
+ * novi kernel source [2.6.18.2]
+ * Layer 7 Netfilter podrska
+ * dodana dokumentacija za stealth modul
+ * nadogradjena pcilist uredjaja za automatsku HW detekciju
+ * uveden CONFIG_REGPARM
+ * uvedeni POSIX ACL-ovi na datotecnim sustavima ih podrzavaju
+
+ -- Dinko Korunic <kreator@carnet.hr> Thu, 23 Nov 2006 15:51:35 +0100
+
+kernel-2.6-cn (2:2.6.17.8-1) stable; urgency=high
+
+ * novi kernel source [2.6.17.8]:
+ - CVE-2006-3468: Ext3 Invalid Inode Number Denial of Service
+ - niz manjih popravki unutar jezgre
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 10 Aug 2006 15:14:40 +0200
+
+kernel-2.6-cn (2:2.6.17.5-1) stable; urgency=high
+
+ * novi kernel source [2.6.17.5]:
+ - CVE-2006-2451: "prctl" Privilege Escalation Vulnerability
+ - CVE-2006-2629: SMP "/proc" Race Condition Denial of Service
+ - CVE-2006-2445: Race condition in run_posix_cpu_timers
+ - CVE-2006-2071: Shared Memory Restrictions Bypass
+ - CVE-2006-1862: Virtual memory implementation flaw causing DoS
+ - CVE-2006-1860: "lease_init()" Denial of Service Vulnerability
+ - CVE-2006-1859: "lease_init()" Denial of Service Vulnerability
+ - CVE-2006-1525: "ip_route_input()" Denial of Service Vulnerability
+ - CVE-2006-1524: Shared Memory Restrictions Bypass
+ - CVE-2006-1523: "__group_complete_signal()" unknown impact
+ - CVE-2006-1522: "__keyring_search_one()" Denial of Service
+ - CVE-2006-1343: IPv4 "sockaddr_in.sin_zero" Information Disclosure
+ - CVE-2006-1055: SYSFS Local Denial of Service Vulnerability
+ - CVE-2006-0741: Local Denial of Service and Information Disclosure
+ - CVE-2006-0557: "sys_mbind()" unknown impact
+ - CVE-2006-0555: Local Denial of Service and Information Disclosure
+ - CVE-2006-0454: "ip_options_echo()" Denial of Service Vulnerability
+ - CVE-2006-0095: "dm-crypt()" Information Disclosure
+ ...
+ * nove rutine [pcimodules] za automatsko ucitavanje potrebnih modula
+ * novi podrzani uredjaji: ServerRAID i it821x, itd.
+
+ -- Dinko Korunic <kreator@srce.hr> Mon, 17 Jul 2006 19:24:34 +0200
+
+kernel-2.6-cn (2:2.6.14.7-2) stable; urgency=low
+
+ * poboljsana podrska za noviji MPT Fusion driver - sada
+ se ucitava u initrdu
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 16 Mar 2006 21:22:22 +0100
+
+kernel-2.6-cn (2:2.6.14.7-1) stable; urgency=low
+
+ * novi kernel source [2.6.14.7]
+ * novi grsecurity [2.1.9]
+ * nova imenicka shema kernel-2.4-cn za 2.4 kernel i kernel-2.6-cn za 2.6
+ jezgru
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 23 Feb 2006 18:41:46 +0100
+
+kernel-cn (2:2.6.14.3-1) stable; urgency=low
+
+ * novi kernel source [2.6.14.3]
+ * novi grsecurity [2.1.7]
+
+ -- Dinko Korunic <kreator@srce.hr> Sat, 10 Dec 2005 15:02:50 +0100
+
+kernel-cn (2:2.4.32-1) stable; urgency=low
+
+ * novi kernel source [2.4.32-pre3]
+ * novi grsecurity [2.1.7]
+ * povratak nazad na prokusani i pouzdano radeci chpax
+
+ -- Dinko Korunic <kreator@srce.hr> Sat, 17 Sep 2005 13:54:46 +0200
+
+kernel-cn (2:2.4.31-1) stable; urgency=low
+
+ * novi kernel source [2.4.31]
+ * novi grsecurity [2.1.6]
+ * prelazak sa chpax na noviji paxctl mehanizam
+ - TODO: uputstva za sistemce
+ * prelazak na carnet-tools-cn funkcije
+
+ -- Dinko Korunic <kreator@srce.hr> Fri, 24 Jun 2005 11:08:29 +0200
+
+kernel-cn (2:2.4.30-2) stable; urgency=high
+
+ * dodani patchevi na 2.4.30 kernel:
+ - CAN-2005-1263: ELF binary format loader's core dump function problem
+ - 2.4.30-panic-if-more-than-one-moxa-2
+ - 2.4.30-bonding-rmmod-oops-1
+ - 2.4.30-madvise-must-return-EIO-1
+ - 2.4.30-rwsem-spinlocks-must-disable-interrupts-2
+
+ -- Dinko Korunic <kreator@srce.hr> Sun, 29 May 2005 12:29:47 +0200
+
+kernel-cn (2:2.4.30-1) stable; urgency=medium
+
+ * nova upstream verzija kernela [2.4.30]
+ - CAN-2005-0400: kernel memory leak in ext2 mkdir()
+ - CAN-2005-0750: bluetooth range checking bug
+ - CAN-2005-0794: potential DOS in load_elf_library.
+ - CAN-2005-0815: range checking flaws in isofs
+ * nova upstream verzija grsecurity dodatka [2.1.5]
+ - rijesen mlock problem
+
+ -- Dinko Korunic <kreator@srce.hr> Fri, 22 Apr 2005 18:22:13 +0200
+
+kernel-cn (2:2.4.29-3) stable; urgency=low
+
+ * ciscenja skripti paketa:
+ - sysctl.conf privremene datoteke se brisu
+ - vraca se nivo logiranja poruka na konzolu na vrijednosti prije
+ instalacije paketa
+ - paket u slucaju nadogradnje ne mijenja konfiguracijske datoteke bez
+ potrebe
+ - ne dira se group bez potrebe, koristi se getent za pretrazivanje
+ - dopisan Debian header u sysctl.conf
+ - prilican broj manjih promjena u paketu
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 16 Mar 2005 23:40:35 +0100
+
+kernel-cn (2:2.4.29-2) stable; urgency=high
+
+ * rebuild, izbacen epoll radi stabilnijeg kernela
+ * novi Grsecurity upstream source [2.1.2]
+ - rijesen Grsecurity sigurnosni bug sa PAGEEXEC
+ - izbacene ISN i ostale randomizacije
+
+ -- Dinko Korunic <kreator@srce.hr> Sun, 6 Mar 2005 12:49:15 +0100
+
+kernel-cn (2:2.4.29-1) stable; urgency=high
+
+ * novi upstream source [2.4.29]
+ * SEC izdanje zbog niza sigurnosnih rupa:
+ - uselib() ranjivost [CAN-2004-1235],
+ - x86/SMP page fault handler ranjivost [CAN-2005-0001]
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 27 Jan 2005 10:19:01 +0100
+
+kernel-cn (2:2.4.28-2) stable; urgency=high
+
+ * novi upstream source [2.4.28]
+ * novi grsec [2.1.0]
+ * SEC izdanje zbog niza sigurnosnih rupa:
+ http://grsecurity.net/news.php#grsec210
+ * dodan bridge modul
+ * dodana podrska za poznatije SATA kontrolere
+
+ -- Dinko Korunic <kreator@srce.hr> Sat, 8 Jan 2005 13:55:40 +0100
+
+kernel-cn (2:2.4.28-1) stable; urgency=high
+
+ * novi upstream source [2.4.28-rc3]
+ * novi grsec [2.0.2]
+ * SEC izdanje zbog popravljenih binfmt_elf bugova
+
+ -- Dinko Korunic <kreator@srce.hr> Tue, 16 Nov 2004 14:27:58 +0100
+
+kernel-cn (2:2.4.27-2) stable; urgency=low
+
+ * dodao sym53c8xx seriju kontrolaca u kernel
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 1 Sep 2004 18:56:22 +0200
+
+kernel-cn (2:2.4.27-1) stable; urgency=high
+
+ * novi upstream sourcevi, sredjeni niz kernel bugova u <= 2.4.26:
+ CAN-2004-0495 (Al Viro sparse fixes)
+ CAN-2004-0497 (users could modify group ID of arbitrary files on the
+ system)
+ CAN-2004-0535 (e1000 minor info leak)
+ CAN-2004-0685 (backported Conectiva usb sparse fixes)
+ CAN-2004-0415 (file offset pointer handling race)
+ CAN-2004-0565 (information leak ia64)
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 11 Aug 2004 00:33:24 +0200
+
+kernel-cn (2:2.4.26-4) stable; urgency=medium
+
+ * privremeno zaobisao gr_handle_chroot_setpriority() bug koji bi rusio
+ kernel pri mijenjanju prioriteta chroot()-anim procesima
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 30 Jun 2004 15:24:04 +0200
+
+kernel-cn (2:2.4.26-3) stable; urgency=high
+
+ * popravljena "heap overflow" kernel greska koja omogucava DoS korisnicima
+ sa shell pristupom
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 16 Jun 2004 19:09:47 +0200
+
+kernel-cn (2:2.4.26-2) stable; urgency=low
+
+ * brzi fixup za chpax, jer PT_* interface ne radi
+ * par poboljsanja postinst skripte: rotirajuci backupovi u /var/backups,
+ ocuvanje postojecih varijabli u /etc/sysctl.conf, atomicke operacije
+
+ -- Dinko Korunic <kreator@srce.hr> Tue, 20 Apr 2004 21:08:33 +0200
+
+kernel-cn (2:2.4.26-1) stable; urgency=low
+
+ * novi upstream source
+ * popravljeno par kriticnijih bugova: do_fork() memory leak, moguce iso9660
+ symlink prepunjavanje spremnika
+ * popravljeni bugovi standardne kriticnosti:
+ niz IPv6 popravki, niz ACPI popravki koje zahvacaju i Proliante izmedju
+ ostaloga (http://bugzilla.kernel.org/show_bug.cgi?id=1590), nesto SCSI i
+ USB popravki, popravak Tigon3 modula, NFS fix, niz Sparc popravki
+
+ -- Dinko Korunic <kreator@srce.hr> Thu, 15 Apr 2004 19:13:17 +0200
+
+kernel-cn (2:2.4.25-1) stable; urgency=high
+
+ * novi upstream source - kriticni root exploit za 2.4.* kernele
+ * sk98lin driver
+ * chpax -> paxctl, ostavio symlink
+
+ -- Dinko Korunic <kreator@srce.hr> Tue, 24 Feb 2004 21:02:55 +0100
+
+kernel-cn (2.4.24-1) stable; urgency=high
+
+ * novi upstream source - kriticni root exploit za 2.* kernele
+
+ -- Dinko Korunic <kreator@srce.hr> Mon, 5 Jan 2004 16:35:12 +0100
+
+kernel-cn (2.4.23-3) stable; urgency=medium
+
+ * oops, updateao /lib/modules/2.4.23-grsec ispravno ovaj put
+ * pocisceni initrd, redirekcija u /dev/null ucitavanja modula, itd.
+
+ -- Dinko Korunic <kreator@srce.hr> Fri, 12 Dec 2003 12:05:47 +0100
+
+kernel-cn (2.4.23-2) stable; urgency=low
+
+ * dodana detekcija uredjaja koji se nalaze na MPT na obicnom
+ SCSI prikljucku
+ * dodan driver za Broadcom Tigon3 mrezne kartice
+
+ -- Dinko Korunic <kreator@srce.hr> Tue, 9 Dec 2003 12:00:51 +0100
+
+kernel-cn (2.4.23-1) stable; urgency=high
+
+ * novi 2.4.23 kernel koji donosi raznorazne popravke, kao i za zloglasni
+ do_brk() root exploit
+ * sluzbeni MegaRAID2 patch je sada u kernelu, pa vise nije
+ rucno upatchiran
+ * noviji Grsecurity (1.9.13)
+ * novi gradm i chpax
+ * kernel testiran na vecinu exploita pomocu paxtest; jedini problemi
+ koji nisu rijeseni su return-into-libc koristeci pokazivace, odnosno
+ problemi koji se inace rjesavaju ET_DYN zastitom
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 3 Dec 2003 02:22:07 +0100
+
+kernel-cn (2.4.22-10) stable; urgency=medium
+
+ * IDE detekcija se pokazala da ne funkcionira ako su IDE moduli, te je IDE
+ odjeljak prebacen u kernel
+ * u initrdu se sada automatski ucitavaju i MPT* moduli, kao i CCISS i
+ CPQArray te AIC79xx
+ * grsec i non-grsec kerneli od sada dijele isti initrd
+ * initrd sada nosi i cjeloviti drivers/ i fs/ odjeljak modula, te
+ modules.dep i modules.conf koji bi trebali omoguciti bolju automatsku
+ detekciju
+ * dodan 3c59x driver po zahtjevu
+ * dodan epoll patch i epoll device
+ (http://www.xmailserver.org/linux-patches/nio-improve.html)
+ * kompilirano sa 2.95 gccom, zbog mogucih problema sa korisnickim
+ 2.95-kompiliranim kernel modulima
+ * initrd ima potpuniju listu modula
+ * od sada kernel-cn nosi u /usr/src potpuni template za vlastiti initrd
+ (grsec i non-grsec)
+ * napravljena autodetekcija root i boot uredjaja za lilo.conf
+
+ -- Dinko Korunic <kreator@srce.hr> Mon, 17 Nov 2003 17:22:13 +0100
+
+kernel-cn (2.4.22-9) stable; urgency=high
+
+ * razrijesen problem sa Koncar SoftRAID-om -> RAID ce raditi
+ za racunala koja imaju md0 = sd{a,b}2, kao sto nalaze install
+ kuharica
+ * dodana IDE detekcija u modules
+
+ -- Dinko Korunic <kreator@srce.hr> Wed, 22 Oct 2003 21:40:11 +0200
+
+kernel-cn (2.4.22-8) stable; urgency=low
+
+ * nova verzija glavnog paketa
+ * izvorni kod je patchiran sa novijim MegaRAID driverom
+ * modularizirana je podrska za ekstra SCSI hardver
+ * kompletno je pripremljen za potrebe rekompilacije
+ * sustav se dize pomocu initrd, tako da se potreban hardver detektira
+ tijekom podizanja sustava
+ * testirano na Koncar, Compaq Proliant i DELL PowerEdge racunalima
+
+ -- Dinko Korunic <kreator@srce.hr> Mon, 20 Oct 2003 14:37:41 +0200
--- /dev/null
+#!/bin/sh
+# postinst script for spamassassin-cn
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+#
+
+case "$1" in
+ configure|reconfigure)
+ # continue below
+ ;;
+
+ *)
+ exit 0
+ ;;
+esac
+
+# import CN-functions
+. /usr/share/carnet-tools/functions.sh
+
+################################################################################
+
+# starting up backup
+echo -n "CN: Backed up to /var/backups:"
+
+# backup lilo.conf
+if [ -e /etc/lilo.conf ]; then
+ cp_backup_conffile /etc/lilo.conf
+ echo -n " lilo.conf"
+fi
+
+# backup old kernel params
+if [ -e /etc/sysctl.conf ]; then
+ cp_backup_conffile /etc/sysctl.conf
+ echo -n " sysctl.conf"
+fi
+
+# backup old kernel params
+if [ -e /etc/kernel-img.conf ]; then
+ cp_backup_conffile /etc/kernel-img.conf
+ echo -n " kernel-img.conf"
+fi
+
+# finished
+echo "."
+
+################################################################################
+
+# intro msg
+echo -n "CN: Configuring system (this will take a while):"
+
+# generate kernel-img.conf
+if [ ! -e /etc/kernel-img.conf ]; then
+ touch /etc/kernel-img.conf
+fi
+
+# update postinst_hook for grub
+if grep -q postinst_hook /etc/kernel-img.conf; then
+ cp_check_and_sed '^postinst_hook' \
+ 's;^postinst_hook[[:blank:]]*=.*;postinst_hook = /usr/sbin/update-grub;g' \
+ /etc/kernel-img.conf || true
+else
+ echo "postinst_hook = /usr/sbin/update-grub" >> /etc/kernel-img.conf
+fi
+
+# update postrm_hook for grub
+if grep -q postrm_hook /etc/kernel-img.conf; then
+ cp_check_and_sed '^postrm_hook' \
+ 's;^postrm_hook[[:blank:]]*=.*;postrm_hook = /usr/sbin/update-grub;g' \
+ /etc/kernel-img.conf || true
+else
+ echo "postrm_hook = /usr/sbin/update-grub" >> /etc/kernel-img.conf
+fi
+
+# enable initrd
+if grep -q do_initrd /etc/kernel-img.conf; then
+ cp_check_and_sed '^do_initrd' \
+ 's/^do_initrd[[:blank:]]*=.*/do_initrd = yes/g' \
+ /etc/kernel-img.conf || true
+else
+ echo "do_initrd = yes" >> /etc/kernel-img.conf
+fi
+
+echo -n " kernel-img.conf"
+
+# generate initial grub loaders
+if [ ! -d /boot/grub ]; then
+ mkdir -p /boot/grub
+ if [ -d /usr/lib/grub/i386-pc ]; then
+ cp -a /usr/lib/grub/i386-pc/* /boot/grub
+ fi
+fi
+
+# create/update grub configuration
+if [ -e /boot/grub/menu.lst ]; then
+ # is there uncompatibile grub conf present?
+ if ! grep -q 'AUTOMAGIC KERNELS LIST' /boot/grub/menu.lst; then
+ mv -f /boot/grub/menu.lst /boot/grub/menu.lst.old
+ fi
+fi
+if [ ! -e /boot/grub/menu.lst ]; then
+ yes | /usr/sbin/update-grub >/dev/null 2>&1 || true
+else
+ /usr/sbin/update-grub >/dev/null 2>&1 || true
+fi
+
+if ! grub-install --no-floppy '(hd0)' >/dev/null 2>&1; then
+ echo "."
+ echo "CN: FATAL ERROR running grub-install!"
+ echo "CN: Do not reboot your server and report this to OTRS immediately!"
+ exit 1
+fi
+echo -n " grub"
+
+# disable lilo
+if [ -e /etc/lilo.conf ]; then
+ mv -f /etc/lilo.conf /etc/lilo.conf.old
+fi
+echo -n " lilo"
+
+# mdadm
+if [ -x /usr/share/mdadm/mkconf ]; then
+ if [ ! -e /etc/mdadm/mdadm.conf ]; then
+ touch /etc/mdadm/mdadm.conf
+ fi
+
+ /usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf.$$
+ if ! cmp -s /etc/mdadm/mdadm.conf.$$ /etc/mdadm/mdadm.conf; then
+ mv /etc/mdadm/mdadm.conf.$$ /etc/mdadm/mdadm.conf
+ fi
+ rm -f /etc/mdadm/mdadm.conf.$$ /etc/initramfs-tools/hooks/md \
+ /var/lib/mdadm/CONF-UNCHECKED
+ echo -n " mdadm"
+fi
+
+# update initramfs accordingly
+update-initramfs -u -k all >/dev/null 2>&1 || true
+echo -n " initramfs"
+
+# finished
+echo "."
+
+################################################################################
+
+# rest of configuration...
+echo -n "CN: Modifying the neccessary system files:"
+
+# remove group 99
+if getent group proc >/dev/null 2>&1; then
+ groupdel proc >/dev/null 2>&1
+fi
+echo -n " proc"
+
+# remove oidentd from oident group
+if getent group oident >/dev/null 2>&1; then
+ # sarge default
+ cp_check_and_sed '^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*nogroup' \
+ 's/^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*nogroup/OIDENT_GROUP=oident/g' \
+ /etc/default/oidentd || true
+
+ # old kernel-2.6-cn default
+ cp_check_and_sed '^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*proc' \
+ 's/^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*proc/OIDENT_GROUP=oident/g' \
+ /etc/default/oidentd || true
+
+ echo -n " oidentd"
+fi
+
+# default kernel parameters
+rm -f /etc/sysctl.conf.$$
+cat > /etc/sysctl.conf.$$ <<EOF
+kernel.exec-shield=3
+kernel.maps_protect=1
+net.core.rmem_default=1048576
+net.core.wmem_default=1048576
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.all.log_martians=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.all.secure_redirects=1
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.icmp_echo_ignore_broadcasts=1
+net.ipv4.icmp_ignore_bogus_error_responses=1
+net.ipv4.ip_forward=0
+net.ipv4.ip_local_port_range=10000 65000
+net.ipv4.tcp_congestion_control=cubic
+net.ipv4.tcp_ecn=0
+net.ipv4.tcp_max_syn_backlog=8192
+net.ipv4.tcp_retries1=2
+net.ipv4.tcp_rfc1337=1
+net.ipv4.tcp_syncookies=1
+vm.mmap_min_addr=65536
+EOF
+
+# old kernel params
+if [ -e /etc/sysctl.conf ]; then
+ #cat /etc/sysctl.conf >> /etc/sysctl.conf.$$
+ #ignore some of 2.4 stuff
+ egrep -v 'net\.core\.(r|w)mem_max|net\.ipv4\.tcp_(r|w)mem|vm\.bdflush|net\.ipv4\.ip_local_port_range|kernel\.rtsig-max|net\.ipv4\.tcp_syncookies' \
+ /etc/sysctl.conf >> /etc/sysctl.conf.$$
+fi
+
+# add sysctl.conf Debian headers
+rm -f /etc/sysctl.conf-head
+cat > /etc/sysctl.conf-head <<EOF
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See sysctl.conf (5) for information.
+#
+EOF
+
+# merge old and new in one conf, primarily respecting old
+script='
+my %confhash = ();
+my ($key, $value);
+while (<>)
+{
+ chomp();
+ if (/^\s*(\S+)\s*=\s*(.+)\s*$/o)
+ {
+ my ($key, $value) = ($1, $2);
+ $key =~ s/\//./go;
+ $confhash{$key} = $value;
+ }
+}
+for (sort { $a cmp $b } keys %confhash)
+{
+ print $_, "=", $confhash{$_}, "\n";
+}
+'
+rm -f /etc/sysctl.conf-new
+perl -e "$script" < /etc/sysctl.conf.$$ > /etc/sysctl.conf-new
+cat /etc/sysctl.conf-head /etc/sysctl.conf-new > /etc/sysctl.conf.$$
+rm -f /etc/sysctl.conf-head /etc/sysctl.conf-new
+
+# finished with merging, move into sysctl.conf
+cp_mv /etc/sysctl.conf.$$ /etc/sysctl.conf
+echo -n " sysctl.conf"
+
+# finished with basic kernel-2.6-cn stuff
+echo "."
+
+################################################################################
+
+# intro
+echo -n "CN: Setting up PAM configurations:"
+
+# update pam_limits accordingly
+if [ -e /etc/security/limits.conf ]; then
+ rm -f /etc/security/limits.conf.$$
+ cp /etc/security/limits.conf /etc/security/limits.conf.$$
+ cp-update kernel-2.6-cn /etc/security/limits.conf.$$ <<EOF
+* soft core 0
+* hard nofile 4096
+* soft nofile 4096
+EOF
+ cp_mv /etc/security/limits.conf.$$ /etc/security/limits.conf
+ echo -n " limits"
+fi
+
+# check pam.d/login
+if [ -e /etc/pam.d/login ]; then
+ cp_check_and_sed '^#.*session.+required.+pam_limits.so' \
+ 's/^#.*session.+required.+pam_limits.so/session required pam_limits.so/' \
+ /etc/pam.d/login || true
+ echo -n " login"
+fi
+
+# check pam.d/ssh
+if [ -e /etc/pam.d/ssh ]; then
+ cp_check_and_sed '^#.*session.+required.+pam_limits.so' \
+ 's/^#.*session.+required.+pam_limits.so/session required pam_limits.so/' \
+ /etc/pam.d/ssh || true
+ echo -n " ssh"
+fi
+
+# finished with PAM
+echo "."
+
+################################################################################
+
+# remove obsolete links
+rm -f /boot/vmlinuz /boot/vmlinuz.old /boot/vmlinuz.old2 \
+ /boot/vmlinuz.plain /vmlinuz /vmlinuz.old /boot/vmlinuz.plain
+echo "CN: Removed old symlinks in / and /boot."
+
+################################################################################
+
+# fix old kernel-2.4-cn postrm
+if [ -e /var/lib/dpkg/info/kernel-2.4-cn.postrm ]; then
+ echo "CN: Fixed old kernel-2.4-cn postrm."
+ cat > /var/lib/dpkg/info/kernel-2.4-cn.postrm.$$ <<EOF
+#!/bin/sh
+
+set -e
+
+# be sure, be safe
+if [ "$1" != "remove" ]; then
+ exit 0
+fi
+
+# import CN-functions
+. /usr/share/carnet-tools/functions.sh
+
+# remove us from limits.conf
+cp-update -r kernel-2.4-cn /etc/security/limits.conf
+
+# remove us from modules
+cp-update -r kernel-2.4-cn /etc/modules
+EOF
+ if ! cmp -s /var/lib/dpkg/info/kernel-2.4-cn.postrm \
+ /var/lib/dpkg/info/kernel-2.4-cn.postrm.$$; then
+ mv /var/lib/dpkg/info/kernel-2.4-cn.postrm.$$ \
+ /var/lib/dpkg/info/kernel-2.4-cn.postrm
+ chmod +x /var/lib/dpkg/info/kernel-2.4-cn.postrm
+ fi
+ rm -f /var/lib/dpkg/info/kernel-2.4-cn.postrm.$$
+fi
+
+################################################################################
+
+# fix old kernel-cn postrm
+if [ -e /var/lib/dpkg/info/kernel-cn.postrm ]; then
+ echo "CN: Fixed old kernel-cn postrm."
+ cat > /var/lib/dpkg/info/kernel-cn.postrm.$$ <<EOF
+#!/bin/sh
+
+set -e
+
+# be sure, be safe
+if [ "$1" != "remove" ]; then
+ exit 0
+fi
+
+# import CN-functions
+. /usr/share/carnet-tools/functions.sh
+
+# remove us from limits.conf
+cp-update -r kernel-cn /etc/security/limits.conf
+
+# remove us from modules
+cp-update -r kernel-cn /etc/modules
+EOF
+ if ! cmp -s /var/lib/dpkg/info/kernel-cn.postrm \
+ /var/lib/dpkg/info/kernel-cn.postrm.$$; then
+ mv /var/lib/dpkg/info/kernel-cn.postrm.$$ \
+ /var/lib/dpkg/info/kernel-cn.postrm
+ chmod +x /var/lib/dpkg/info/kernel-cn.postrm
+ fi
+ rm -f /var/lib/dpkg/info/kernel-cn.postrm.$$
+fi
+
+################################################################################
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
projects / kernel-cn.git / commitdiff