From c44bb9f26d04ed1685faef002826eeece7d30335 Mon Sep 17 00:00:00 2001 From: Dinko Korunic Date: Fri, 13 Feb 2009 15:36:11 +0100 Subject: [PATCH 1/1] - inicijalna verzija paketa.. --- README.CARNet | 92 +++++++++++ changelog.CARNet | 1 + debian/changelog | 464 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ debian/compat | 1 + debian/control | 20 +++ debian/docs | 2 + debian/postinst | 372 +++++++++++++++++++++++++++++++++++++++++++ debian/postrm | 55 +++++++ debian/rules | 74 +++++++++ 9 files changed, 1081 insertions(+) create mode 100644 README.CARNet create mode 120000 changelog.CARNet create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/docs create mode 100755 debian/postinst create mode 100755 debian/postrm create mode 100755 debian/rules diff --git a/README.CARNet b/README.CARNet new file mode 100644 index 0000000..104e2d3 --- /dev/null +++ b/README.CARNet @@ -0,0 +1,92 @@ +kernel-2.6-cn +~~~~~~~~~~~~~ + +Ovo je virtualni paket koji instalira odgovarajucu okolinu za CARNet +Debian kernel izgradjen iz standardnog Debian Etchnhalf kernela, ali sa +ExecShield i Layer 7 netfilterom. Takodjer, vise se ne koristi initrd vec +initramfs tehnika, odnosno ne koristi se vise ni LILO vec GRUB kao glavni +loader za Linux kernel. + +Vise o Etchnhalf Debian izdanju mozete procitati na: + + http://www.debian.org/releases/etch/etchnhalf + +ExecShield je dodatni nivo zastite cija je glavna duznost onemoguciti +izvrsavanje koda sa stranica koje su oznacene tako: + + http://en.wikipedia.org/wiki/Exec_Shield + +Sam patch je preuzet iz Fedora CVS razvojnog stabla: + + http://cvs.fedora.redhat.com/viewvc/rpms/kernel/F-9/linux-2.6-execshield.patch + +Dodatak je i Layer 7 Netfilter modul koji omogucava matchiranje odredjenih +aplikativnih protokola sa boljom ili losijom pouzdanoscu. Stranica +projekta je: + + http://l7-filter.sourceforge.net/ + +Popis podrzanog hardvera: +------------------------- +Memorija: do 64GB (bigmem odnosno PAE podrska) + +Procesori: IA32 (pocevsi od PIII procesora), x86_64 ukljucno sa EM64T + procesorima PIII i visi (ali ne IA-64) u SMP i UP nacinu rada + +Ploce: sve standardne PC ploce za IA32 ili x86_64 arhitekturu + +IDE kontroleri: AMD AMD74xx, CMD64x, Highpoint HPT366, Intel PIIX/ICH, IT821x, + Promise PDC202xx, ServerWorks, Silicon Image, SIS513, VIA82Cxxx, + genericki PCI IDE, ITE 821x, Pacific Digital Corporation ADMA, + Serverworks OSB4/CSB5/CSB6, SiI, SiS, VIA, Marvell + +SCSI i SAS kontroleri: 3ware 9000, Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec + Advanced Raid Products, HP NetRAID-4M, IBM ServeRAID, ICP SCSI, + Adaptec AIC77xx/78xx/790x/94xx, HP Controller CCISS SA5xxx/SA6xxx, + Adaptec I2O, IBM Power RAID, IBM ServeRAID, Emulex LightPulse Fibre + Channel, LSI Logic MegaRAID, Fusion MPT, Qlogic ISP (QLA + 1x80/1x160), QLogic Fibre Channel, NCR/Symbios/LSI 8xx/1010, + FlashPoint, Marvell + +mrezne kartice: 3Com 3c59x/3c9xx, RealTek RTL-8139, Broadcom NetXtreme II + BCM5706/5708, Intel PRO/100, NE2000, PCNet32/PCnetPCI, RealTek + RTL-8169, SiS sis190, SiS 900, SysKonnect, Digital 21x4x Tulip, + 3Com Typhoon (3C990, 3CR990, itd), VIA Rhine, VIA Velocity, QLogic + QLA3xxx, Marvell Yukon 2/SysKonnect, Attansic L1 + +SATA kontroleri: AHCI, Marvell, nVidia, Promise ATA TX2/TX4/TX4000, Pacific + Digital Corporation QStor, Silicon Image, Silicon Image 3124/3132, + Silicon Integrated Systems, K2, Promise, ULi, VIA, Vitesse VSC7174, + Initio 162x + +ostalo: IPv4 i IPv6 Netfilter moduli, QoS pravila, raznorazni + filesistemi (NFSv3 client i server, XFS, Ext2/3, Minix), VLAN + 802.1q, bridge 802.1d, USB EHCI/UHCI/OHCI, InfiniBand, SoftRAID + (append, MD 0/1/4/5/6), LVM2, IPMI, i6300ESB watchdog, i8xx/Intel TCO + watchdog, DeviceMapper, IEEE 1394 FireWire, KVM Intel/AMD, SATA/SAS + hubovi/ekspanderi itd. + +Datoteke koje se backupiraju: +----------------------------- +/etc/lilo.conf -> /var/backups +/etc/sysctl.conf -> /var/backups +//etc/kernel-img.conf -> /var/backups + +Datoteke koje se mijenjaju uvjetno ili bezuvjetno: +-------------------------------------------------- +/etc/lilo.conf -> gasi se LILO (lilo.conf -> lilo.conf.old) +/etc/kernel-img.conf -> podesava se (aktivira initrd, koristi GRUB) +/boot/grub -> instalira se GRUB po potrebi +/boot/grub/menu.lst -> generira se GRUB konfiguracija +/etc/mdadm/mdadm.conf -> stvara se Linux MD konfiguracija +/etc/group -> brise se grupa 99 proc +/etc/default/oidentd -> Oidentd rekonfiguracija, micanje iz grupe proc +/etc/sysctl.conf -> sigurnosne i ine kernel postavke +/etc/security/limits.conf -> onemogucavanje core po korisniku +/etc/pam.d/login -> omogucavanje pam limits konfiguracije za telnet +/etc/pam.d/ssh -> omogucavanje pam limits konfiguracije za ssh +/boot/vmlinuz /boot/vmlinuz.old /boot/vmlinuz.old2 /boot/vmlinuz.plain + /vmlinuz /vmlinuz.old /boot/vmlinuz.plain -> eliminacija starih i + zaostalih symlinkova + + -- Dinko Korunic Fri, 13 Feb 2009 15:14:11 +0100 diff --git a/changelog.CARNet b/changelog.CARNet new file mode 120000 index 0000000..194579e --- /dev/null +++ b/changelog.CARNet @@ -0,0 +1 @@ +changelog.Debian \ No newline at end of file diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..8aeae60 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,464 @@ +kernel-2.6-cn (3:2.6.24-1) stable; urgency=high + + * paket postaje virtualni paket koji ovisi o posebno gradjenom CARNet Debian + kernelu (linux-image-2.6.24-etchnhalf.1-686-bigmem) koji je deriviran iz + standardnog Debian kernela, ali su dodani ExecShield patchevi kao i + Netfilter Layer 7 patchevi + * omogucen TCP MD5 Signature (RFC 2385) + * postavljen TCP Cubic kao defaultni TCP congestion algoritam + * prelazak na novi Epoch + + -- Dinko Korunic Fri, 13 Feb 2009 15:05:21 +0100 + +kernel-2.6-cn (2:2.6.27.10-1) stable; urgency=high + + * novi upstream kernel: 2.6.27.10 (niz bitnih sigurnosnih popravaka naspram + 2.6.26.3) + * omogucen TCP MD5 Signature (RFC 2385) + * pociscene nepotrebne opcije u LILO append parametru + * omoguceni x86 PAT registri + * povratak na SEGMEXEC zbog sporosti na Intel P4 procesorima (stariji + posluzitelji) + * omogucen Ext4 datotecni sustav + + -- Dinko Korunic Sat, 27 Dec 2008 13:24:12 +0100 + +kernel-2.6-cn (2:2.6.26.3-1) stable; urgency=high + + * novi upstream kernel: 2.6.26.3 (niz bitnih sigurnosnih popravaka naspram + 2.6.24.7) + * novi upstream patch: Grsecurity 2.1.12 + * novi upstream patch: Layer7 2.20 + * ciscenje nepotrebnih kernel postavki iz sysctl (kernel.rtsig-max, + net.ipv4.tcp_syncookies) + * nove sysctl postavke za TCP poboljsanja (net.core.rmem_default, + net.core.wmem_default kao i net.ipv4.tcp_congestion_control) te sigurnost + (vm.mmap_min_addr, kernel.maps_protect) + * 4K stacks + * par novih drivera (Marvel SATA/SAS, FlashPoint, SFF, SAS/SATA + hubovi/ekspanderi, SoftRAID 4/5/6) + * LILO konfiguracija sada sadrzi i plainold, prethodni non-Grsecurity kernel + * popravljen bug u initrd init skripti (import skripte iz Etcha), te + nadogradjeni svi binaryji koji se koriste unutar initrd preslike + + -- Dinko Korunic Mon, 8 Sep 2008 18:52:36 +0200 + +kernel-2.6-cn (2:2.6.24.7-2) stable; urgency=low + + * postinst za oidentd servis koristi oident:oident te reverta prethodne + promjene ako je potrebno, s obzirom da je to u Etchu default + + -- Dinko Korunic Wed, 18 Jun 2008 12:54:08 +0200 + +kernel-2.6-cn (2:2.6.24.7-1) stable; urgency=high + + * novi upstream kernel: 2.6.24.7 (bitni sigurnosni popravci od 2.6.24.2: + CVE-2008-1669, CVE-2008-1375, CVE-2008-1675) + * opet je omogucen cijeli Grsecurity, te je upaljen i UDEREF + * cfq elevator je default (zbog serverske namjene) + * conflict sa libc6-i686 zbog mogucih OOPS-anja i rusenja servisa (problem + sa SYSENTER) + * LILO conf koristi memtest86+ (ako je prisutan), a ne obsolete memtest86 + * ugasena mprotect zastita zbog kolizija sa Debian bibliotekama (gmp) i + Sophos Sweep AV + + -- Dinko Korunic Thu, 22 May 2008 16:34:02 +0200 + +kernel-2.6-cn (2:2.6.24.2-2) stable; urgency=low + + * fix za postrm kernel-2.4-cn i kernel-cn + * cfq elevator je sad default (zbog serverske namjene) + * uljepsan ispis prilikom instalacije/deinstalacije paketa + + -- Dinko Korunic Tue, 26 Feb 2008 17:49:55 +0100 + +kernel-2.6-cn (2:2.6.24.2-1) stable; urgency=high + + * novi upstream kernel: 2.6.24.2 + * novi upstream PaX patch: pax-linux-2.6.24.1-test12.patch + * fix za: CVE-2008-0009, CVE-2008-0010 te CVE-2008-0600 + + -- Dinko Korunic Mon, 11 Feb 2008 17:23:02 +0100 + +kernel-2.6-cn (2:2.6.24-1) stable; urgency=high + + * novi upstream kernel: 2.6.24 + * Grsecurity patch za 2.6.23.14 i dalje uzrokuje rusenje, a onaj za + 2.6.24 ne postoji -- fallback na cisti PaX + (pax-linux-2.6.24-test9.patch) + * izbacivanje SATA-generic layera za PATA uredjaje i fallback na cisti + nativni PATA layer (generic IDE uredjaji) + + -- Dinko Korunic Tue, 29 Jan 2008 18:53:47 +0100 + +kernel-2.6-cn (2:2.6.23.14-2) stable; urgency=high + + * rebuild zbog sluzbenog Grsecurity patcha za 2.6.23.14 + + -- Dinko Korunic Sat, 26 Jan 2008 12:52:35 +0100 + +kernel-2.6-cn (2:2.6.23.14-1) stable; urgency=high + + * novi upstream source -- kernel 2.6.23.14, ispravljen CVE-2008-0001 + * nova PCI lista za module (pcimodules) + * update dokumentacije (README.CARNet) + * podrska za nove uredjaje: + * mrezne kartice: Marvell Yukon 2/SysKonnect, Attansic L1 + * SATA kontroleri: Initio 162x + * ostalo: IEEE 1394 FireWire stack, KVM Intel/AMD + + -- Dinko Korunic Fri, 18 Jan 2008 20:42:36 +0100 + +kernel-2.6-cn (2:2.6.22.9-1) stable; urgency=low + + * novi upstream source -- kernel 2.6.22.9, grsecurity 2.1.11, layer7 2.13 + * nova PCI lista za module (pcimodules) + * update dokumentacije (README.CARNet) + * izbacen src za initrd, nepotreban je sistemcima + * koristimo irqbalance userspace servis umjesto zastarjelog u kernelu + + -- Dinko Korunic Wed, 17 Oct 2007 17:20:24 +0200 + +kernel-2.6-cn (2:2.6.22.6-1) stable; urgency=low + + * update dokumentacije (README.CARNet) + * novi upstream source -- kernel 2.6.22.6 te grsecurity 2.1.11 + * koristen gcc4 za izgradnju + * nova PCI lista za module (pcimodules) + + -- Dinko Korunic Sun, 23 Sep 2007 22:52:56 +0200 + +kernel-2.6-cn (2:2.6.20.6-1) stable; urgency=low + + * 8-CPU podrska (npr. SMP quad-core Xeon) + * HIGHMEM64G podrska (>= 4GB RAM) + * IPsec podrska (transport, tunnel, BEET; AH, ESP, IPComp) za IPv4 i IPv6 + * podrska za QLA iSCSI + * Marvell PATA driver + * multipath podrska (MD i DM) + * VIA Velocity podrska, QLA3xxx podrska + * watchdog podrska za i6300ESB, i8xx/Intel TCO + * HID podrska, USB serial, USB monitor + * ugasen ekstenzivni Grsecurity logging (problem spinlock OOPS) + * release bez Layer7 podrske (nema svjezeg patcha za 2.6.20) + * update dokumentacije (README.CARNet) + + -- Dinko Korunic Thu, 12 Apr 2007 00:22:35 +0200 + +kernel-2.6-cn (2:2.6.19.3-2) stable; urgency=low + + * dodani QLA i Emulex FC driveri + * dependancy na svjezi LILO, modutils, module-init-tools, itd. + * promijenjena procedura za detekciju boot uredjaja (LILO) + * update dokumentacije (README.CARNet) + + -- Dinko Korunic Tue, 20 Feb 2007 21:42:57 +0100 + +kernel-2.6-cn (2:2.6.19.3-1) stable; urgency=high + + * novi kernel source [2.6.19.3] + * novi Grsecurity patch [2.1.10] koji popravlja PaX expand_stack() + ranjivost + * nadogradjena pcilist uredjaja za automatsku HW detekciju + + -- Dinko Korunic Wed, 7 Feb 2007 15:15:06 +0100 + +kernel-2.6-cn (2:2.6.18.2-1) stable; urgency=high + + * novi kernel source [2.6.18.2] + * Layer 7 Netfilter podrska + * dodana dokumentacija za stealth modul + * nadogradjena pcilist uredjaja za automatsku HW detekciju + * uveden CONFIG_REGPARM + * uvedeni POSIX ACL-ovi na datotecnim sustavima ih podrzavaju + + -- Dinko Korunic Thu, 23 Nov 2006 15:51:35 +0100 + +kernel-2.6-cn (2:2.6.17.8-1) stable; urgency=high + + * novi kernel source [2.6.17.8]: + - CVE-2006-3468: Ext3 Invalid Inode Number Denial of Service + - niz manjih popravki unutar jezgre + + -- Dinko Korunic Thu, 10 Aug 2006 15:14:40 +0200 + +kernel-2.6-cn (2:2.6.17.5-1) stable; urgency=high + + * novi kernel source [2.6.17.5]: + - CVE-2006-2451: "prctl" Privilege Escalation Vulnerability + - CVE-2006-2629: SMP "/proc" Race Condition Denial of Service + - CVE-2006-2445: Race condition in run_posix_cpu_timers + - CVE-2006-2071: Shared Memory Restrictions Bypass + - CVE-2006-1862: Virtual memory implementation flaw causing DoS + - CVE-2006-1860: "lease_init()" Denial of Service Vulnerability + - CVE-2006-1859: "lease_init()" Denial of Service Vulnerability + - CVE-2006-1525: "ip_route_input()" Denial of Service Vulnerability + - CVE-2006-1524: Shared Memory Restrictions Bypass + - CVE-2006-1523: "__group_complete_signal()" unknown impact + - CVE-2006-1522: "__keyring_search_one()" Denial of Service + - CVE-2006-1343: IPv4 "sockaddr_in.sin_zero" Information Disclosure + - CVE-2006-1055: SYSFS Local Denial of Service Vulnerability + - CVE-2006-0741: Local Denial of Service and Information Disclosure + - CVE-2006-0557: "sys_mbind()" unknown impact + - CVE-2006-0555: Local Denial of Service and Information Disclosure + - CVE-2006-0454: "ip_options_echo()" Denial of Service Vulnerability + - CVE-2006-0095: "dm-crypt()" Information Disclosure + ... + * nove rutine [pcimodules] za automatsko ucitavanje potrebnih modula + * novi podrzani uredjaji: ServerRAID i it821x, itd. + + -- Dinko Korunic Mon, 17 Jul 2006 19:24:34 +0200 + +kernel-2.6-cn (2:2.6.14.7-2) stable; urgency=low + + * poboljsana podrska za noviji MPT Fusion driver - sada + se ucitava u initrdu + + -- Dinko Korunic Thu, 16 Mar 2006 21:22:22 +0100 + +kernel-2.6-cn (2:2.6.14.7-1) stable; urgency=low + + * novi kernel source [2.6.14.7] + * novi grsecurity [2.1.9] + * nova imenicka shema kernel-2.4-cn za 2.4 kernel i kernel-2.6-cn za 2.6 + jezgru + + -- Dinko Korunic Thu, 23 Feb 2006 18:41:46 +0100 + +kernel-cn (2:2.6.14.3-1) stable; urgency=low + + * novi kernel source [2.6.14.3] + * novi grsecurity [2.1.7] + + -- Dinko Korunic Sat, 10 Dec 2005 15:02:50 +0100 + +kernel-cn (2:2.4.32-1) stable; urgency=low + + * novi kernel source [2.4.32-pre3] + * novi grsecurity [2.1.7] + * povratak nazad na prokusani i pouzdano radeci chpax + + -- Dinko Korunic Sat, 17 Sep 2005 13:54:46 +0200 + +kernel-cn (2:2.4.31-1) stable; urgency=low + + * novi kernel source [2.4.31] + * novi grsecurity [2.1.6] + * prelazak sa chpax na noviji paxctl mehanizam + - TODO: uputstva za sistemce + * prelazak na carnet-tools-cn funkcije + + -- Dinko Korunic Fri, 24 Jun 2005 11:08:29 +0200 + +kernel-cn (2:2.4.30-2) stable; urgency=high + + * dodani patchevi na 2.4.30 kernel: + - CAN-2005-1263: ELF binary format loader's core dump function problem + - 2.4.30-panic-if-more-than-one-moxa-2 + - 2.4.30-bonding-rmmod-oops-1 + - 2.4.30-madvise-must-return-EIO-1 + - 2.4.30-rwsem-spinlocks-must-disable-interrupts-2 + + -- Dinko Korunic Sun, 29 May 2005 12:29:47 +0200 + +kernel-cn (2:2.4.30-1) stable; urgency=medium + + * nova upstream verzija kernela [2.4.30] + - CAN-2005-0400: kernel memory leak in ext2 mkdir() + - CAN-2005-0750: bluetooth range checking bug + - CAN-2005-0794: potential DOS in load_elf_library. + - CAN-2005-0815: range checking flaws in isofs + * nova upstream verzija grsecurity dodatka [2.1.5] + - rijesen mlock problem + + -- Dinko Korunic Fri, 22 Apr 2005 18:22:13 +0200 + +kernel-cn (2:2.4.29-3) stable; urgency=low + + * ciscenja skripti paketa: + - sysctl.conf privremene datoteke se brisu + - vraca se nivo logiranja poruka na konzolu na vrijednosti prije + instalacije paketa + - paket u slucaju nadogradnje ne mijenja konfiguracijske datoteke bez + potrebe + - ne dira se group bez potrebe, koristi se getent za pretrazivanje + - dopisan Debian header u sysctl.conf + - prilican broj manjih promjena u paketu + + -- Dinko Korunic Wed, 16 Mar 2005 23:40:35 +0100 + +kernel-cn (2:2.4.29-2) stable; urgency=high + + * rebuild, izbacen epoll radi stabilnijeg kernela + * novi Grsecurity upstream source [2.1.2] + - rijesen Grsecurity sigurnosni bug sa PAGEEXEC + - izbacene ISN i ostale randomizacije + + -- Dinko Korunic Sun, 6 Mar 2005 12:49:15 +0100 + +kernel-cn (2:2.4.29-1) stable; urgency=high + + * novi upstream source [2.4.29] + * SEC izdanje zbog niza sigurnosnih rupa: + - uselib() ranjivost [CAN-2004-1235], + - x86/SMP page fault handler ranjivost [CAN-2005-0001] + + -- Dinko Korunic Thu, 27 Jan 2005 10:19:01 +0100 + +kernel-cn (2:2.4.28-2) stable; urgency=high + + * novi upstream source [2.4.28] + * novi grsec [2.1.0] + * SEC izdanje zbog niza sigurnosnih rupa: + http://grsecurity.net/news.php#grsec210 + * dodan bridge modul + * dodana podrska za poznatije SATA kontrolere + + -- Dinko Korunic Sat, 8 Jan 2005 13:55:40 +0100 + +kernel-cn (2:2.4.28-1) stable; urgency=high + + * novi upstream source [2.4.28-rc3] + * novi grsec [2.0.2] + * SEC izdanje zbog popravljenih binfmt_elf bugova + + -- Dinko Korunic Tue, 16 Nov 2004 14:27:58 +0100 + +kernel-cn (2:2.4.27-2) stable; urgency=low + + * dodao sym53c8xx seriju kontrolaca u kernel + + -- Dinko Korunic Wed, 1 Sep 2004 18:56:22 +0200 + +kernel-cn (2:2.4.27-1) stable; urgency=high + + * novi upstream sourcevi, sredjeni niz kernel bugova u <= 2.4.26: + CAN-2004-0495 (Al Viro sparse fixes) + CAN-2004-0497 (users could modify group ID of arbitrary files on the + system) + CAN-2004-0535 (e1000 minor info leak) + CAN-2004-0685 (backported Conectiva usb sparse fixes) + CAN-2004-0415 (file offset pointer handling race) + CAN-2004-0565 (information leak ia64) + + -- Dinko Korunic Wed, 11 Aug 2004 00:33:24 +0200 + +kernel-cn (2:2.4.26-4) stable; urgency=medium + + * privremeno zaobisao gr_handle_chroot_setpriority() bug koji bi rusio + kernel pri mijenjanju prioriteta chroot()-anim procesima + + -- Dinko Korunic Wed, 30 Jun 2004 15:24:04 +0200 + +kernel-cn (2:2.4.26-3) stable; urgency=high + + * popravljena "heap overflow" kernel greska koja omogucava DoS korisnicima + sa shell pristupom + + -- Dinko Korunic Wed, 16 Jun 2004 19:09:47 +0200 + +kernel-cn (2:2.4.26-2) stable; urgency=low + + * brzi fixup za chpax, jer PT_* interface ne radi + * par poboljsanja postinst skripte: rotirajuci backupovi u /var/backups, + ocuvanje postojecih varijabli u /etc/sysctl.conf, atomicke operacije + + -- Dinko Korunic Tue, 20 Apr 2004 21:08:33 +0200 + +kernel-cn (2:2.4.26-1) stable; urgency=low + + * novi upstream source + * popravljeno par kriticnijih bugova: do_fork() memory leak, moguce iso9660 + symlink prepunjavanje spremnika + * popravljeni bugovi standardne kriticnosti: + niz IPv6 popravki, niz ACPI popravki koje zahvacaju i Proliante izmedju + ostaloga (http://bugzilla.kernel.org/show_bug.cgi?id=1590), nesto SCSI i + USB popravki, popravak Tigon3 modula, NFS fix, niz Sparc popravki + + -- Dinko Korunic Thu, 15 Apr 2004 19:13:17 +0200 + +kernel-cn (2:2.4.25-1) stable; urgency=high + + * novi upstream source - kriticni root exploit za 2.4.* kernele + * sk98lin driver + * chpax -> paxctl, ostavio symlink + + -- Dinko Korunic Tue, 24 Feb 2004 21:02:55 +0100 + +kernel-cn (2.4.24-1) stable; urgency=high + + * novi upstream source - kriticni root exploit za 2.* kernele + + -- Dinko Korunic Mon, 5 Jan 2004 16:35:12 +0100 + +kernel-cn (2.4.23-3) stable; urgency=medium + + * oops, updateao /lib/modules/2.4.23-grsec ispravno ovaj put + * pocisceni initrd, redirekcija u /dev/null ucitavanja modula, itd. + + -- Dinko Korunic Fri, 12 Dec 2003 12:05:47 +0100 + +kernel-cn (2.4.23-2) stable; urgency=low + + * dodana detekcija uredjaja koji se nalaze na MPT na obicnom + SCSI prikljucku + * dodan driver za Broadcom Tigon3 mrezne kartice + + -- Dinko Korunic Tue, 9 Dec 2003 12:00:51 +0100 + +kernel-cn (2.4.23-1) stable; urgency=high + + * novi 2.4.23 kernel koji donosi raznorazne popravke, kao i za zloglasni + do_brk() root exploit + * sluzbeni MegaRAID2 patch je sada u kernelu, pa vise nije + rucno upatchiran + * noviji Grsecurity (1.9.13) + * novi gradm i chpax + * kernel testiran na vecinu exploita pomocu paxtest; jedini problemi + koji nisu rijeseni su return-into-libc koristeci pokazivace, odnosno + problemi koji se inace rjesavaju ET_DYN zastitom + + -- Dinko Korunic Wed, 3 Dec 2003 02:22:07 +0100 + +kernel-cn (2.4.22-10) stable; urgency=medium + + * IDE detekcija se pokazala da ne funkcionira ako su IDE moduli, te je IDE + odjeljak prebacen u kernel + * u initrdu se sada automatski ucitavaju i MPT* moduli, kao i CCISS i + CPQArray te AIC79xx + * grsec i non-grsec kerneli od sada dijele isti initrd + * initrd sada nosi i cjeloviti drivers/ i fs/ odjeljak modula, te + modules.dep i modules.conf koji bi trebali omoguciti bolju automatsku + detekciju + * dodan 3c59x driver po zahtjevu + * dodan epoll patch i epoll device + (http://www.xmailserver.org/linux-patches/nio-improve.html) + * kompilirano sa 2.95 gccom, zbog mogucih problema sa korisnickim + 2.95-kompiliranim kernel modulima + * initrd ima potpuniju listu modula + * od sada kernel-cn nosi u /usr/src potpuni template za vlastiti initrd + (grsec i non-grsec) + * napravljena autodetekcija root i boot uredjaja za lilo.conf + + -- Dinko Korunic Mon, 17 Nov 2003 17:22:13 +0100 + +kernel-cn (2.4.22-9) stable; urgency=high + + * razrijesen problem sa Koncar SoftRAID-om -> RAID ce raditi + za racunala koja imaju md0 = sd{a,b}2, kao sto nalaze install + kuharica + * dodana IDE detekcija u modules + + -- Dinko Korunic Wed, 22 Oct 2003 21:40:11 +0200 + +kernel-cn (2.4.22-8) stable; urgency=low + + * nova verzija glavnog paketa + * izvorni kod je patchiran sa novijim MegaRAID driverom + * modularizirana je podrska za ekstra SCSI hardver + * kompletno je pripremljen za potrebe rekompilacije + * sustav se dize pomocu initrd, tako da se potreban hardver detektira + tijekom podizanja sustava + * testirano na Koncar, Compaq Proliant i DELL PowerEdge racunalima + + -- Dinko Korunic Mon, 20 Oct 2003 14:37:41 +0200 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..6e73958 --- /dev/null +++ b/debian/control @@ -0,0 +1,20 @@ +Source: kernel-2.6-cn +Section: base +Priority: required +Maintainer: Dinko Korunic +Build-Depends: debhelper (>= 4) +Standards-Version: 3.7.2 + +Package: kernel-2.6-cn +Architecture: i386 +Section: base +Depends: grub (>= 0.97-27etch1), procps (>= 1:3.2.7-3), iptables-cn (>= 1.2.11-4), perl-base, carnet-tools-cn (>= 2.7.1), module-init-tools (>= 3.3-pre4-2), mount (>= 2.12r-19etch1), e2fsprogs (>= 1.39+1.40-WIP-2006.11.14+dfsg-2etch1), microcode.ctl (>= 1.15-1), irqbalance (>= 0.12-7etch1), libc6-i686 (>= 2.3.6.ds1-13etch9+b1), mdadm (>= 2.5.6-9), linux-image-2.6.24-etchnhalf.1-686-bigmem (= 2.6.24-6~etchnhalf.7+cn1) +Conflicts: iplogger, kernel-cn, kernel-2.4-cn (<< 2.4.33-2) +Replaces: kernel-cn, kernel-2.4-cn +Provides: kernel-cn +Recommends: memtest86+ +Description: Linux kernel virtual package for CARNet Linux servers + This package is virtual package providing correct Linux kernel environment + for CARNet Debian Linux servers. + . + Linux kernel homepage: http://www.kernel.org diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..ef5ce6c --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +changelog.CARNet +README.CARNet diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..e476a32 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,372 @@ +#!/bin/sh +# postinst script for spamassassin-cn +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure|reconfigure) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# import CN-functions +. /usr/share/carnet-tools/functions.sh + +################################################################################ + +# starting up backup +echo -n "CN: Backed up to /var/backups:" + +# backup lilo.conf +if [ -e /etc/lilo.conf ]; then + cp_backup_conffile /etc/lilo.conf + echo -n " lilo.conf" +fi + +# backup old kernel params +if [ -e /etc/sysctl.conf ]; then + cp_backup_conffile /etc/sysctl.conf + echo -n " sysctl.conf" +fi + +# backup old kernel params +if [ -e /etc/kernel-img.conf ]; then + cp_backup_conffile /etc/kernel-img.conf + echo -n " kernel-img.conf" +fi + +# finished +echo "." + +################################################################################ + +# intro msg +echo -n "CN: Configuring system (this will take a while):" + +# generate kernel-img.conf +if [ ! -e /etc/kernel-img.conf ]; then + touch /etc/kernel-img.conf +fi + +# update postinst_hook for grub +if grep -q postinst_hook /etc/kernel-img.conf; then + cp_check_and_sed '^postinst_hook' \ + 's;^postinst_hook[[:blank:]]*=.*;postinst_hook = /usr/sbin/update-grub;g' \ + /etc/kernel-img.conf || true +else + echo "postinst_hook = /usr/sbin/update-grub" >> /etc/kernel-img.conf +fi + +# update postrm_hook for grub +if grep -q postrm_hook /etc/kernel-img.conf; then + cp_check_and_sed '^postrm_hook' \ + 's;^postrm_hook[[:blank:]]*=.*;postrm_hook = /usr/sbin/update-grub;g' \ + /etc/kernel-img.conf || true +else + echo "postrm_hook = /usr/sbin/update-grub" >> /etc/kernel-img.conf +fi + +# enable initrd +if grep -q do_initrd /etc/kernel-img.conf; then + cp_check_and_sed '^do_initrd' \ + 's/^do_initrd[[:blank:]]*=.*/do_initrd = yes/g' \ + /etc/kernel-img.conf || true +else + echo "do_initrd = yes" >> /etc/kernel-img.conf +fi + +echo -n " kernel-img.conf" + +# generate initial grub loaders +if [ ! -d /boot/grub ]; then + mkdir -p /boot/grub + if [ -d /usr/lib/grub/i386-pc ]; then + cp -a /usr/lib/grub/i386-pc/* /boot/grub + fi +fi + +# create/update grub configuration +if [ -e /boot/grub/menu.lst ]; then + # is there uncompatibile grub conf present? + if ! grep -q 'AUTOMAGIC KERNELS LIST' /boot/grub/menu.lst; then + mv -f /boot/grub/menu.lst /boot/grub/menu.lst.old + fi +fi +if [ ! -e /boot/grub/menu.lst ]; then + yes | /usr/sbin/update-grub >/dev/null 2>&1 || true +else + /usr/sbin/update-grub >/dev/null 2>&1 || true +fi + +if ! grub-install --no-floppy '(hd0)' >/dev/null 2>&1; then + echo "." + echo "CN: FATAL ERROR running grub-install!" + echo "CN: Do not reboot your server and report this to OTRS immediately!" + exit 1 +fi +echo -n " grub" + +# disable lilo +if [ -e /etc/lilo.conf ]; then + mv -f /etc/lilo.conf /etc/lilo.conf.old +fi +echo -n " lilo" + +# mdadm +if [ -x /usr/share/mdadm/mkconf ]; then + if [ ! -e /etc/mdadm/mdadm.conf ]; then + touch /etc/mdadm/mdadm.conf + fi + + /usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf.$$ + if ! cmp -s /etc/mdadm/mdadm.conf.$$ /etc/mdadm/mdadm.conf; then + mv /etc/mdadm/mdadm.conf.$$ /etc/mdadm/mdadm.conf + fi + rm -f /etc/mdadm/mdadm.conf.$$ /etc/initramfs-tools/hooks/md \ + /var/lib/mdadm/CONF-UNCHECKED + echo -n " mdadm" +fi + +# update initramfs accordingly +update-initramfs -u -k all >/dev/null 2>&1 || true +echo -n " initramfs" + +# finished +echo "." + +################################################################################ + +# rest of configuration... +echo -n "CN: Modifying the neccessary system files:" + +# remove group 99 +if getent group proc >/dev/null 2>&1; then + groupdel proc >/dev/null 2>&1 +fi +echo -n " proc" + +# remove oidentd from oident group +if getent group oident >/dev/null 2>&1; then + # sarge default + cp_check_and_sed '^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*nogroup' \ + 's/^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*nogroup/OIDENT_GROUP=oident/g' \ + /etc/default/oidentd || true + + # old kernel-2.6-cn default + cp_check_and_sed '^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*proc' \ + 's/^OIDENT_GROUP[[:blank:]]*=[[:blank:]]*proc/OIDENT_GROUP=oident/g' \ + /etc/default/oidentd || true + + echo -n " oidentd" +fi + +# default kernel parameters +rm -f /etc/sysctl.conf.$$ +cat > /etc/sysctl.conf.$$ <> /etc/sysctl.conf.$$ + #ignore some of 2.4 stuff + egrep -v 'net\.core\.(r|w)mem_max|net\.ipv4\.tcp_(r|w)mem|vm\.bdflush|net\.ipv4\.ip_local_port_range|kernel\.rtsig-max|net\.ipv4\.tcp_syncookies' \ + /etc/sysctl.conf >> /etc/sysctl.conf.$$ +fi + +# add sysctl.conf Debian headers +rm -f /etc/sysctl.conf-head +cat > /etc/sysctl.conf-head < /etc/sysctl.conf-new +cat /etc/sysctl.conf-head /etc/sysctl.conf-new > /etc/sysctl.conf.$$ +rm -f /etc/sysctl.conf-head /etc/sysctl.conf-new + +# finished with merging, move into sysctl.conf +cp_mv /etc/sysctl.conf.$$ /etc/sysctl.conf +echo -n " sysctl.conf" + +# finished with basic kernel-2.6-cn stuff +echo "." + +################################################################################ + +# intro +echo -n "CN: Setting up PAM configurations:" + +# update pam_limits accordingly +if [ -e /etc/security/limits.conf ]; then + rm -f /etc/security/limits.conf.$$ + cp /etc/security/limits.conf /etc/security/limits.conf.$$ + cp-update kernel-2.6-cn /etc/security/limits.conf.$$ < /var/lib/dpkg/info/kernel-2.4-cn.postrm.$$ < /var/lib/dpkg/info/kernel-cn.postrm.$$ < `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# Debconf +. /usr/share/debconf/confmodule + +case "$1" in + purge) + # continue below + ;; + + *) + exit 0 + ;; +esac + +# import CN-functions +. /usr/share/carnet-tools/functions.sh + +################################################################################ + +echo -n "CN: Cleaning up..." + +# remove us from limits.conf +cp-update -r kernel-2.6-cn /etc/security/limits.conf +echo -n " limits" + +# remove us from modules +cp-update -r kernel-2.6-cn /etc/modules +echo -n " modules" + +echo "." + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..657559f --- /dev/null +++ b/debian/rules @@ -0,0 +1,74 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# This file is public domain software, originally written by Joey Hess. +# +# This version is for packages that are architecture independent. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +build: build-stamp +build-stamp: + dh_testdir + + # Add here commands to compile the package. + #$(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + #-$(MAKE) clean + #-$(MAKE) distclean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/. + #$(MAKE) prefix=`pwd`/debian/`dh_listpackages`/usr install + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs +# dh_installexamples + dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installcatalogs +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo +# dh_undocumented + dh_installman + dh_link + dh_compress + dh_fixperms +# dh_perl +# dh_python + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install -- 1.7.10.4