[kernel-sec-discuss] r1734 - active retired

dann frazier dannf at debian.org
Sun Feb 14 21:30:29 UTC 2010 

Actually, I was/am planning to do one more upload for both 2.6.18 &
2.6.24.

2.6.18 needs to update for the final d-i spin or s390 will remain
uninstallable, and 2.6.24 has several updates queued. I'd wanted to
get them done earlier, but the last 2.6.26 update was a pretty big
time sink.

On Sun, Feb 14, 2010 at 09:15:26PM +0000, Moritz Muehlenhoff wrote:
> Author: jmm
> Date: 2010-02-14 21:15:03 +0000 (Sun, 14 Feb 2010)
> New Revision: 1734
> 
> Added:
>    retired/CVE-2009-3939
>    retired/CVE-2009-4027
> Removed:
>    active/CVE-2009-3939
>    active/CVE-2009-4027
> Modified:
>    active/CVE-2009-3613
>    active/CVE-2009-3620
>    active/CVE-2009-3725
>    active/CVE-2009-3726
>    active/CVE-2009-4005
>    active/CVE-2009-4020
>    active/CVE-2009-4021
>    active/CVE-2009-4141
>    active/CVE-2009-4536
>    active/CVE-2009-4538
>    active/CVE-2010-0003
>    active/CVE-2010-0006
> Log:
> various further updates:
>  - record fixes to sid
>  - more ignored (EOL) entries for Etch
>  - retire two more issues
> 
> 
> Modified: active/CVE-2009-3613
> ===================================================================
> --- active/CVE-2009-3613	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-3613	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -9,6 +9,6 @@
>  Bugs:
>  upstream: released (2.6.29) [a866bbf, 97d477a]
>  linux-2.6: released (2.6.29-1)
> -2.6.18-etch-security: ignored (2.6.18.dfsg.1-26etch1) "needs port"
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/r8169-balance-pci_map-pci_unmap-pair.patch, bugfix/all/r8169-use-hardware-auto-padding.patch]
>  2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/r8169-use-hardware-auto-padding.patch]
> 
> Modified: active/CVE-2009-3620
> ===================================================================
> --- active/CVE-2009-3620	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-3620	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -9,6 +9,6 @@
>  Bugs:
>  upstream: released (2.6.32-rc1) [7dc482dfeeeefcfd000d4271c4626937406756d7]
>  linux-2.6: released (2.6.32-1) 
> -2.6.18-etch-security: needed
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch]
>  2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch]
> 
> Modified: active/CVE-2009-3725
> ===================================================================
> --- active/CVE-2009-3725	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-3725	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -13,5 +13,5 @@
>  upstream: released (2.6.32-rc3) [cc44578b5a508889beb8ae3ccd4d2bbdf17bc86c, 98a5783af02f4c9b87b676d7bbda6258045cfc76, 5788c56891cfb310e419c4f9ae20427851797431, 24836479a126e02be691e073c2b6cad7e7ab836a], released (2.6.31.5) [127f1bdba584bc2aa2f910273b6b5701d5bad3ed, 85a79fc56eaee6587d19971b5348261773c1c507, 060425ef1d42f59b9b3faed31406e9e59c7464a0, e1a7338bc0da30633357c84be4df222a1bdbfd99]
>  linux-2.6: released (2.6.31-1)
>  2.6.18-etch-security: N/A
> -2.6.24-etch-security: needed "upstream fix requires API changes"
> +2.6.24-etch-security: ignored (EOL)
>  2.6.26-lenny-security: needed "upstream fix requires API changes"
> 
> Modified: active/CVE-2009-3726
> ===================================================================
> --- active/CVE-2009-3726	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-3726	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -8,6 +8,6 @@
>  Bugs:
>  upstream: released (2.6.31) [d953126a28f97ec965d23c69fd5795854c048f30]
>  linux-2.6: released (2.6.31-1)
> -2.6.18-etch-security:
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: pending (2.6.24-6~etchnhalf.9etch2) [bugfix/all/nfsv4-buggy-server-oops.patch]
>  2.6.26-lenny-security: released (2.6.26-21) [bugfix/all/nfsv4-buggy-server-oops.patch]
> 
> Deleted: active/CVE-2009-3939
> ===================================================================
> --- active/CVE-2009-3939	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-3939	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -1,18 +0,0 @@
> -Candidate: CVE-2009-3939
> -Description:
> - The poll_mode_io file for the megaraid_sas driver in the Linux kernel 
> - 2.6.31.6 and earlier has world-writable permissions, which allows local 
> - users to change the I/O mode of the driver by modifying this file.
> -References:
> - http://www.openwall.com/lists/oss-security/2009/11/13/1
> -Notes:
> - jmm> Introduced in ad84db2e2e1817bb8a29e7c9108eb66bf023d99f
> - jmm> Fixed in bb7d3f24c71e528989501617651b669fbed798cb
> -Bugs: #562975 (patch available)
> -upstream: released (2.6.32.5, 2.6.33-rc4)
> -2.6.32-upstream-stable: released (2.6.32.5) [94249e60370f0094831ba673881222252d799257)]
> -linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.5.patch]
> -2.6.18-etch-security: N/A "introduced in 2.6.25 commit ad84db2e"
> -2.6.24-etch-security: N/A "introduced in 2.6.25 commit ad84db2e"
> -2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch]
> -2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.5.patch]
> 
> Modified: active/CVE-2009-4005
> ===================================================================
> --- active/CVE-2009-4005	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4005	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -8,7 +8,7 @@
>  upstream: released (2.6.32-rc7) [286e633e]
>  2.6.31-upstream-stable: N/A
>  linux-2.6: released (2.6.32-1)
> -2.6.18-etch-security: needed
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: pending (2.6.24-6~etchnhalf.9etch2) [bugfix/all/isdn-hfc_usb-fix-read-buffer-overflow.patch]
>  2.6.26-lenny-security: released (2.6.26-21) [bugfix/all/isdn-hfc_usb-fix-read-buffer-overflow.patch]
>  2.6.32-squeeze-security: released (2.6.32-1) 
> 
> Modified: active/CVE-2009-4020
> ===================================================================
> --- active/CVE-2009-4020	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4020	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -8,7 +8,7 @@
>  upstream: released (2.6.33-rc1) [ec81aecb]
>  2.6.32-upstream-stable: released (2.6.32.2) [037b7867]
>  linux-2.6: released (2.6.32-3)
> -2.6.18-etch-security: needed
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch2) [bugfix/all/hfs-fix-a-potential-buffer-overflow.patch]
>  2.6.26-lenny-security: released (2.6.26-21) [bugfix/all/hfs-fix-a-potential-buffer-overflow.patch]
>  2.6.32-squeeze-security: released (2.6.32-3)
> 
> Modified: active/CVE-2009-4021
> ===================================================================
> --- active/CVE-2009-4021	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4021	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -8,7 +8,7 @@
>  Bugs:
>  upstream: released (2.6.32-rc7) [f60311d5]
>  linux-2.6: released (2.6.32-1)
> -2.6.18-etch-security: needed
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: pending (2.6.24-6~etchnhalf.9etch2) [bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch]
>  2.6.26-lenny-security: released (2.6.26-21) [bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch]
>  2.6.32-squeeze-security: released (2.6.32-1)
> 
> Deleted: active/CVE-2009-4027
> ===================================================================
> --- active/CVE-2009-4027	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4027	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -1,13 +0,0 @@
> -Candidate: CVE-2009-4027
> -Description:
> - mac80211 issue
> -References:
> - http://www.openwall.com/lists/oss-security/2009/12/01/2
> -Notes:
> -Bugs:
> -upstream: released (2.6.32) [827d42c9]
> -linux-2.6: released (2.6.32-1)
> -2.6.18-etch-security: N/A "introduced in 2.6.26 commit d92684e6"
> -2.6.24-etch-security: N/A "introduced in 2.6.26 commit d92684e6"
> -2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/mac80211-fix-spurious-delBA-handling.patch]
> -2.6.32-squeeze-security: released (2.6.32-1)
> 
> Modified: active/CVE-2009-4141
> ===================================================================
> --- active/CVE-2009-4141	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4141	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -11,9 +11,9 @@
>  jmm> Commit 53281b6d
>  upstream: released (2.6.32.4)
>  2.6.32-upstream-stable: released (2.6.32.4)
> -linux-2.6: pending (2.6.32-6) [bugfix/all/fasync-split-fasync_helper.patch]
> +linux-2.6: released (2.6.32-6) [bugfix/all/fasync-split-fasync_helper.patch]
>  2.6.18-etch-security: N/A
>  2.6.24-etch-security: N/A
>  2.6.26-lenny-security: N/A
> -2.6.32-squeeze-security: pending (2.6.32-6) [bugfix/all/fasync-split-fasync_helper.patch]
> +2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/fasync-split-fasync_helper.patch]
>  
> 
> Modified: active/CVE-2009-4536
> ===================================================================
> --- active/CVE-2009-4536	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4536	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -10,7 +10,7 @@
>  upstream: released (2.6.33-rc6) [40a14dea]
>  2.6.32-upstream-stable:
>  linux-2.6: released (2.6.32-6) [bugfix/all/e1000-enhance-frame-fragment-detection.patch]
> -2.6.18-etch-security:
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: pending (2.6.24-6~etchnhalf.9etch2) [bugfix/all/e1000-enhance-frame-fragment-detection.patch]
>  2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/e1000-enhance-frame-fragment-detection.patch]
>  2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/e1000-enhance-frame-fragment-detection.patch]
> 
> Modified: active/CVE-2009-4538
> ===================================================================
> --- active/CVE-2009-4538	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2009-4538	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -10,7 +10,7 @@
>  upstream: released (2.6.33-rc6) [b94b5028]
>  2.6.32-upstream-stable:
>  linux-2.6: released (2.6.32-6) [bugfix/all/e1000e-enhance-fragment-detection.patch]
> -2.6.18-etch-security:
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: pending (2.6.24-6~etchnhalf.9etch2) [bugfix/all/e1000e-enhance-frame-fragment-detection.patch]
>  2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/e1000e-enhance-frame-fragment-detection.patch]
>  2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/e1000e-enhance-fragment-detection.patch]
> 
> Modified: active/CVE-2010-0003
> ===================================================================
> --- active/CVE-2010-0003	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2010-0003	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -8,7 +8,7 @@
>  upstream: released (2.6.33-rc4) [b45c6e76bc]
>  2.6.32-upstream-stable: released (2.6.32.4)
>  linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.4.patch]
> -2.6.18-etch-security:
> +2.6.18-etch-security: ignored (EOL)
>  2.6.24-etch-security: pending (2.6.24-6~etchnhalf.9etch2) [bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch]
>  2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch]
>  2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.4.patch]
> 
> Modified: active/CVE-2010-0006
> ===================================================================
> --- active/CVE-2010-0006	2010-02-14 21:09:08 UTC (rev 1733)
> +++ active/CVE-2010-0006	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -10,8 +10,8 @@
>  Bugs:
>  upstream: released (2.6.33) (2570a4f5428bcdb1077622342181755741e7fa60)
>  2.6.32-upstream-stable: released (2.6.32.4)
> -linux-2.6: pending (2.6.32-6)
> +linux-2.6: released (2.6.32-6)
>  2.6.18-etch-security: N/A "introduced in 2.6.28 commit 483a47d2"
>  2.6.24-etch-security: N/A "introduced in 2.6.28 commit 483a47d2"
>  2.6.26-lenny-security: N/A "introduced in 2.6.28 commit 483a47d2"
> -2.6.32-squeeze-security: pending (2.6.32-6)
> +2.6.32-squeeze-security: released (2.6.32-6)
> 
> Copied: retired/CVE-2009-3939 (from rev 1730, active/CVE-2009-3939)
> ===================================================================
> --- retired/CVE-2009-3939	                        (rev 0)
> +++ retired/CVE-2009-3939	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -0,0 +1,18 @@
> +Candidate: CVE-2009-3939
> +Description:
> + The poll_mode_io file for the megaraid_sas driver in the Linux kernel 
> + 2.6.31.6 and earlier has world-writable permissions, which allows local 
> + users to change the I/O mode of the driver by modifying this file.
> +References:
> + http://www.openwall.com/lists/oss-security/2009/11/13/1
> +Notes:
> + jmm> Introduced in ad84db2e2e1817bb8a29e7c9108eb66bf023d99f
> + jmm> Fixed in bb7d3f24c71e528989501617651b669fbed798cb
> +Bugs: #562975 (patch available)
> +upstream: released (2.6.32.5, 2.6.33-rc4)
> +2.6.32-upstream-stable: released (2.6.32.5) [94249e60370f0094831ba673881222252d799257)]
> +linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.5.patch]
> +2.6.18-etch-security: N/A "introduced in 2.6.25 commit ad84db2e"
> +2.6.24-etch-security: N/A "introduced in 2.6.25 commit ad84db2e"
> +2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-perms.patch]
> +2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.5.patch]
> 
> Copied: retired/CVE-2009-4027 (from rev 1730, active/CVE-2009-4027)
> ===================================================================
> --- retired/CVE-2009-4027	                        (rev 0)
> +++ retired/CVE-2009-4027	2010-02-14 21:15:03 UTC (rev 1734)
> @@ -0,0 +1,13 @@
> +Candidate: CVE-2009-4027
> +Description:
> + mac80211 issue
> +References:
> + http://www.openwall.com/lists/oss-security/2009/12/01/2
> +Notes:
> +Bugs:
> +upstream: released (2.6.32) [827d42c9]
> +linux-2.6: released (2.6.32-1)
> +2.6.18-etch-security: N/A "introduced in 2.6.26 commit d92684e6"
> +2.6.24-etch-security: N/A "introduced in 2.6.26 commit d92684e6"
> +2.6.26-lenny-security: released (2.6.26-21lenny1) [bugfix/all/mac80211-fix-spurious-delBA-handling.patch]
> +2.6.32-squeeze-security: released (2.6.32-1)
> 
> 
> _______________________________________________
> kernel-sec-discuss mailing list
> kernel-sec-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/kernel-sec-discuss
> 

-- 
dann frazier

More information about the kernel-sec-discuss mailing list