[kernel-sec-discuss] r1517 - active retired

Moritz Muehlenhoff jmm at alioth.debian.org
Mon Oct 19 17:15:25 UTC 2009 

Author: jmm
Date: 2009-10-19 17:15:25 +0000 (Mon, 19 Oct 2009)
New Revision: 1517

Added:
   retired/CVE-2007-3843
   retired/CVE-2007-6514
   retired/CVE-2008-1514
   retired/CVE-2008-2137
   retired/CVE-2008-2365
Removed:
   active/CVE-2007-3843
   active/CVE-2007-6514
   active/CVE-2008-1514
   active/CVE-2008-2137
   active/CVE-2008-2365
Log:
retire old issues


Deleted: active/CVE-2007-3843
===================================================================
--- active/CVE-2007-3843	2009-10-19 17:12:33 UTC (rev 1516)
+++ active/CVE-2007-3843	2009-10-19 17:15:25 UTC (rev 1517)
@@ -1,24 +0,0 @@
-Candidate: CVE-2007-3843
-References: 
-Description: 
- The Linux kernel before 2.6.23-rc1 checks the wrong global variable
- for the CIFS sec mount option, which might allow remote attackers to
- spoof CIFS network traffic that the client configured for security
- signatures, as demonstrated by lack of signing despite sec=ntlmv2i in
- a SetupAndX request.
-Ubuntu-Description: 
- A flaw was discovered in the CIFS mount security checking.  Remote attackers
- could spoof CIFS network traffic, which could lead a client to trust the
- connection.
-Notes: 
-Bugs: 
-upstream: released (2.6.23-rc1)
-linux-2.6: released (2.6.23-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/cifs-fix-sign-settings.patch]
-2.6.24-etch-security: N/A
-2.6.26-lenny-security: N/A
-2.6.8-sarge-security: ignore (2.6.8-17sarge1) "code looks substantially different"
-2.4.27-sarge-security: N/A "No cifs in 2.4.27"
-2.6.15-dapper-security: ignored (code looks substantially different)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-16.31)

Deleted: active/CVE-2007-6514
===================================================================
--- active/CVE-2007-6514	2009-10-19 17:12:33 UTC (rev 1516)
+++ active/CVE-2007-6514	2009-10-19 17:15:25 UTC (rev 1517)
@@ -1,21 +0,0 @@
-Candidate: CVE-2007-6514
-Description: 
-References: 
-Ubuntu-Description: 
-Notes: 
- jmm> Needs fixing in smbfs rather than in Apache
- jmm> Also fixed by 3b7c8108273bed41a2fc04533cc9f2026ff38c8e
- the attack vector for this one is so obscure: the worst that can
- happen is disclosure of scripts hosted on an apache server serving
- those scripts, and only if those scripts are on a windows share.
-Bugs: 
-upstream: released (2.6.17)
-linux-2.6: released (2.6.17-1)
-2.6.18-etch-security: N/A
-2.6.24-etch-security: N/A
-2.6.26-lenny-security: N/A
-2.6.15-dapper-security:  
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A

Deleted: active/CVE-2008-1514
===================================================================
--- active/CVE-2008-1514	2009-10-19 17:12:33 UTC (rev 1516)
+++ active/CVE-2008-1514	2009-10-19 17:15:25 UTC (rev 1517)
@@ -1,19 +0,0 @@
-Candidate: CVE-2008-1514
-Description: s390-specific ptrace DoS 
-References:
- http://sourceware.org/systemtap/wiki/utrace/tests
- https://bugzilla.redhat.com/show_bug.cgi?id=438147
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d6e48f43340343d97839eadb1ab7b6a3ea98797
- http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.27-rc6
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.27)
-linux-2.6: released (2.6.26-8) [bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-22etch3) [bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.6) [bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch]
-2.6.26-lenny-security: released (2.6.26-8) [bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch]
-2.6.15-dapper-security: ignored (s390 only)
-2.6.20-feisty-security: ignored (s390 only)
-2.6.22-gutsy-security: ignored (s390 only)
-2.6.24-hardy-security: ignored (s390 only)

Deleted: active/CVE-2008-2137
===================================================================
--- active/CVE-2008-2137	2009-10-19 17:12:33 UTC (rev 1516)
+++ active/CVE-2008-2137	2009-10-19 17:15:25 UTC (rev 1517)
@@ -1,16 +0,0 @@
-Candidate: CVE-2008-2137
-Description: 
-References: 
-Ubuntu-Description: 
-Notes: 
- jmm> 5816339310b2d9623cf413d33e538b45e815da5d
-Bugs: 
-upstream: released (2.6.26)
-linux-2.6: released (2.6.26-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/sparc-fix-mmap-va-span-checking.patch, bugfix/sparc-fix-mremap-addr-range-validation.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.3) [bugfix/sparc-fix-mmap-va-span-checking.patch, bugfix/sparc-fix-mremap-addr-range-validation.patch]
-2.6.26-lenny-security: N/A
-2.6.15-dapper-security: released (2.6.15-52.69)
-2.6.20-feisty-security: released (2.6.20-17.37)
-2.6.22-gutsy-security: released (2.6.22-15.56)
-2.6.24-hardy-security: released (2.6.24-19.36)

Deleted: active/CVE-2008-2365
===================================================================
--- active/CVE-2008-2365	2009-10-19 17:12:33 UTC (rev 1516)
+++ active/CVE-2008-2365	2009-10-19 17:15:25 UTC (rev 1517)
@@ -1,20 +0,0 @@
-Candidate: CVE-2008-2365
-Description: 
-References: 
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=5ecfbae093f0c37311e89b29bfc0c9d586eace87
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f5b40e363ad6041a96e3da32281d8faa191597b9
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f358166a9405e4f1d8e50d8f415c26d95505b6de
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2365
- http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/late-ptrace-may-attach-check.c?cvsroot=systemtap
-Ubuntu-Description: 
-Notes: 
-Bugs: 
-upstream: released (2.6.17)
-linux-2.6: N/A
-2.6.18-etch-security: N/A
-2.6.24-etch-security: N/A
-2.6.26-lenny-security: N/A
-2.6.15-dapper-security: released (2.6.15-52.69)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A

Copied: retired/CVE-2007-3843 (from rev 1514, active/CVE-2007-3843)
===================================================================
--- retired/CVE-2007-3843	                        (rev 0)
+++ retired/CVE-2007-3843	2009-10-19 17:15:25 UTC (rev 1517)
@@ -0,0 +1,24 @@
+Candidate: CVE-2007-3843
+References: 
+Description: 
+ The Linux kernel before 2.6.23-rc1 checks the wrong global variable
+ for the CIFS sec mount option, which might allow remote attackers to
+ spoof CIFS network traffic that the client configured for security
+ signatures, as demonstrated by lack of signing despite sec=ntlmv2i in
+ a SetupAndX request.
+Ubuntu-Description: 
+ A flaw was discovered in the CIFS mount security checking.  Remote attackers
+ could spoof CIFS network traffic, which could lead a client to trust the
+ connection.
+Notes: 
+Bugs: 
+upstream: released (2.6.23-rc1)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/cifs-fix-sign-settings.patch]
+2.6.24-etch-security: N/A
+2.6.26-lenny-security: N/A
+2.6.8-sarge-security: ignore (2.6.8-17sarge1) "code looks substantially different"
+2.4.27-sarge-security: N/A "No cifs in 2.4.27"
+2.6.15-dapper-security: ignored (code looks substantially different)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-16.31)

Copied: retired/CVE-2007-6514 (from rev 1514, active/CVE-2007-6514)
===================================================================
--- retired/CVE-2007-6514	                        (rev 0)
+++ retired/CVE-2007-6514	2009-10-19 17:15:25 UTC (rev 1517)
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-6514
+Description: 
+References: 
+Ubuntu-Description: 
+Notes: 
+ jmm> Needs fixing in smbfs rather than in Apache
+ jmm> Also fixed by 3b7c8108273bed41a2fc04533cc9f2026ff38c8e
+ the attack vector for this one is so obscure: the worst that can
+ happen is disclosure of scripts hosted on an apache server serving
+ those scripts, and only if those scripts are on a windows share.
+Bugs: 
+upstream: released (2.6.17)
+linux-2.6: released (2.6.17-1)
+2.6.18-etch-security: N/A
+2.6.24-etch-security: N/A
+2.6.26-lenny-security: N/A
+2.6.15-dapper-security:  
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A

Copied: retired/CVE-2008-1514 (from rev 1516, active/CVE-2008-1514)
===================================================================
--- retired/CVE-2008-1514	                        (rev 0)
+++ retired/CVE-2008-1514	2009-10-19 17:15:25 UTC (rev 1517)
@@ -0,0 +1,19 @@
+Candidate: CVE-2008-1514
+Description: s390-specific ptrace DoS 
+References:
+ http://sourceware.org/systemtap/wiki/utrace/tests
+ https://bugzilla.redhat.com/show_bug.cgi?id=438147
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d6e48f43340343d97839eadb1ab7b6a3ea98797
+ http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.27-rc6
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.27)
+linux-2.6: released (2.6.26-8) [bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-22etch3) [bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.6) [bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch]
+2.6.26-lenny-security: released (2.6.26-8) [bugfix/s390/prevent-ptrace-padding-area-read-write-in-31-bit-mode.patch]
+2.6.15-dapper-security: ignored (s390 only)
+2.6.20-feisty-security: ignored (s390 only)
+2.6.22-gutsy-security: ignored (s390 only)
+2.6.24-hardy-security: ignored (s390 only)

Copied: retired/CVE-2008-2137 (from rev 1515, active/CVE-2008-2137)
===================================================================
--- retired/CVE-2008-2137	                        (rev 0)
+++ retired/CVE-2008-2137	2009-10-19 17:15:25 UTC (rev 1517)
@@ -0,0 +1,16 @@
+Candidate: CVE-2008-2137
+Description: 
+References: 
+Ubuntu-Description: 
+Notes: 
+ jmm> 5816339310b2d9623cf413d33e538b45e815da5d
+Bugs: 
+upstream: released (2.6.26)
+linux-2.6: released (2.6.26-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/sparc-fix-mmap-va-span-checking.patch, bugfix/sparc-fix-mremap-addr-range-validation.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.3) [bugfix/sparc-fix-mmap-va-span-checking.patch, bugfix/sparc-fix-mremap-addr-range-validation.patch]
+2.6.26-lenny-security: N/A
+2.6.15-dapper-security: released (2.6.15-52.69)
+2.6.20-feisty-security: released (2.6.20-17.37)
+2.6.22-gutsy-security: released (2.6.22-15.56)
+2.6.24-hardy-security: released (2.6.24-19.36)

Copied: retired/CVE-2008-2365 (from rev 1516, active/CVE-2008-2365)
===================================================================
--- retired/CVE-2008-2365	                        (rev 0)
+++ retired/CVE-2008-2365	2009-10-19 17:15:25 UTC (rev 1517)
@@ -0,0 +1,20 @@
+Candidate: CVE-2008-2365
+Description: 
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=5ecfbae093f0c37311e89b29bfc0c9d586eace87
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f5b40e363ad6041a96e3da32281d8faa191597b9
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f358166a9405e4f1d8e50d8f415c26d95505b6de
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2365
+ http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/late-ptrace-may-attach-check.c?cvsroot=systemtap
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: released (2.6.17)
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.24-etch-security: N/A
+2.6.26-lenny-security: N/A
+2.6.15-dapper-security: released (2.6.15-52.69)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A

More information about the kernel-sec-discuss mailing list