[kernel-sec-discuss] r1800 - active retired
Michael Gilbert
gilbert-guest at alioth.debian.org
Wed Mar 31 03:54:06 UTC 2010
Author: gilbert-guest
Date: 2010-03-31 03:54:04 +0000 (Wed, 31 Mar 2010)
New Revision: 1800
Added:
retired/CVE-2010-futex-dos
retired/CVE-2010-kvm-null-ptr-dereference
retired/CVE-2010-sparc-needs-execute-bit-check
Removed:
active/CVE-2010-futex-dos
active/CVE-2010-kvm-null-ptr-dereference
Modified:
active/CVE-2009-mmap_min_addr-bypass
active/CVE-2009-tty-null-ptr-dereference
active/CVE-2010-configfs-refcount-leak
active/CVE-2010-ecryptfs-refcount-leak
active/CVE-2010-ecryptfs-use-after-free
active/CVE-2010-tty-race
active/CVE-2010-vgaarb-invalid-dereference
Log:
various updates/info
Modified: active/CVE-2009-mmap_min_addr-bypass
===================================================================
--- active/CVE-2009-mmap_min_addr-bypass 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2009-mmap_min_addr-bypass 2010-03-31 03:54:04 UTC (rev 1800)
@@ -5,10 +5,10 @@
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=security/min_addr.c;fp=security/min_addr.c;h=fc43c9d37084599056680e55c5e8c38491b117ba;hp=c844eed7915d0d270c058c16d6b3db40ffa576d0;hb=83fdbfbfe6e7e8906e3a3f8f6bc074d887e92109;hpb=d9b2c4d0b03c721808c0d259e43a27f1e80205bc
Notes:
Bugs:
-upstream:
-2.6.31-upstream-stable:
-linux-2.6:
+upstream: released (2.6.33) [0e1a6ef2]
+2.6.32-upstream-stable: needed
+linux-2.6: needed
2.6.18-etch-security: N/A "introduced in 2.6.31 commit 788084a"
2.6.24-etch-security: N/A "introduced in 2.6.31 commit 788084a"
2.6.26-lenny-security: N/A "introduced in 2.6.31 commit 788084a"
-2.6.32-squeeze-security:
+2.6.32-squeeze-security: needed
Modified: active/CVE-2009-tty-null-ptr-dereference
===================================================================
--- active/CVE-2009-tty-null-ptr-dereference 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2009-tty-null-ptr-dereference 2010-03-31 03:54:04 UTC (rev 1800)
@@ -5,11 +5,10 @@
http://bugzilla.kernel.org/show_bug.cgi?id=14605
http://xorl.wordpress.com/2009/11/30/linux-kernel-tty-null-pointer-dereference-race-condition/
Notes:
+ supposedly fixed in redhat kernels (see bug report above)
Bugs:
-upstream:
-2.6.31-upstream-stable:
-linux-2.6:
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.32-squeeze-security:
+upstream: needed
+2.6.32-upstream-stable: needed
+linux-2.6: needed
+2.6.26-lenny-security: needed
+2.6.32-squeeze-security: needed
Modified: active/CVE-2010-configfs-refcount-leak
===================================================================
--- active/CVE-2010-configfs-refcount-leak 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-configfs-refcount-leak 2010-03-31 03:54:04 UTC (rev 1800)
@@ -5,10 +5,8 @@
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=fs/configfs/symlink.c;fp=fs/configfs/symlink.c;h=32a5f46b11578d2f0b319379cc8f2b940508a2f4;hp=c8afa6b1d91d67e73266c2e3287c63f23c9d1be9;hb=7dc9c484a71525794ca05cf7a47f283f1b54cd12;hpb=3a5dd791abef032fe57fc652c0232913c696e59b
Notes:
Bugs:
-upstream:
+upstream: released (2.6.33-rc5) [9b6e3102]
2.6.32-upstream-stable:
linux-2.6:
-2.6.18-etch-security:
-2.6.24-etch-security:
2.6.26-lenny-security:
2.6.32-squeeze-security:
Modified: active/CVE-2010-ecryptfs-refcount-leak
===================================================================
--- active/CVE-2010-ecryptfs-refcount-leak 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-ecryptfs-refcount-leak 2010-03-31 03:54:04 UTC (rev 1800)
@@ -5,10 +5,8 @@
http://lkml.indiana.edu/hypermail/linux/kernel/1001.1/00971.html
Notes:
Bugs:
-upstream:
+upstream: released (2.6.33-rc5) [806892e9]
2.6.32-upstream-stable:
linux-2.6:
-2.6.18-etch-security:
-2.6.24-etch-security:
2.6.26-lenny-security:
2.6.32-squeeze-security:
Modified: active/CVE-2010-ecryptfs-use-after-free
===================================================================
--- active/CVE-2010-ecryptfs-use-after-free 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-ecryptfs-use-after-free 2010-03-31 03:54:04 UTC (rev 1800)
@@ -7,7 +7,5 @@
upstream: released (2.6.33-rc5) [ece550f5]
2.6.32-upstream-stable: released (2.6.32.6) [36212162]
linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.6]
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
+2.6.26-lenny-security: needed
2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.6]
Deleted: active/CVE-2010-futex-dos
===================================================================
--- active/CVE-2010-futex-dos 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-futex-dos 2010-03-31 03:54:04 UTC (rev 1800)
@@ -1,13 +0,0 @@
-Candidate: needs to be requested
-Description:
- denial-of-service in kernel/futex.c
-References:
-Notes:
-Bugs:
-upstream: released (2.6.33-rc5) [7485d0d3]
-2.6.32-upstream-stable: released (2.6.32.5) [d4c893f2]
-linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.5]
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.5]
Deleted: active/CVE-2010-kvm-null-ptr-dereference
===================================================================
--- active/CVE-2010-kvm-null-ptr-dereference 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-kvm-null-ptr-dereference 2010-03-31 03:54:04 UTC (rev 1800)
@@ -1,14 +0,0 @@
-Candidate: needs to be requested
-Description:
- kvm null ptr dereference
-References:
- http://patchwork.kernel.org/patch/61310/
-Notes:
-Bugs:
-upstream: released (2.6.33-rc1) [e50212bb]
-2.6.32-upstream-stable:
-linux-2.6:
-2.6.18-etch-security: N/A "kvm introduced in 2.6.25"
-2.6.24-etch-security: N/A "kvm introduced in 2.6.25"
-2.6.26-lenny-security:
-2.6.32-squeeze-security:
Modified: active/CVE-2010-tty-race
===================================================================
--- active/CVE-2010-tty-race 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-tty-race 2010-03-31 03:54:04 UTC (rev 1800)
@@ -7,8 +7,6 @@
Bugs:
upstream: released (2.6.33-rc5) [70362511]
2.6.32-upstream-stable: released (2.6.32.7) [0a1c275a]
-linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.7]
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.7]
+linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.7.patch]
+2.6.26-lenny-security: needed
+2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.7.patch]
Modified: active/CVE-2010-vgaarb-invalid-dereference
===================================================================
--- active/CVE-2010-vgaarb-invalid-dereference 2010-03-31 03:08:14 UTC (rev 1799)
+++ active/CVE-2010-vgaarb-invalid-dereference 2010-03-31 03:54:04 UTC (rev 1800)
@@ -6,9 +6,7 @@
Notes:
Bugs:
upstream: released (2.6.33) [2cc9116c]
-2.6.32-upstream-stable:
-linux-2.6:
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.32-squeeze-security:
+2.6.32-upstream-stable: needed
+linux-2.6: needed
+2.6.26-lenny-security: N/A "no vgaarb code"
+2.6.32-squeeze-security: needed
Copied: retired/CVE-2010-futex-dos (from rev 1799, active/CVE-2010-futex-dos)
===================================================================
--- retired/CVE-2010-futex-dos (rev 0)
+++ retired/CVE-2010-futex-dos 2010-03-31 03:54:04 UTC (rev 1800)
@@ -0,0 +1,11 @@
+Candidate: needs to be requested
+Description:
+ denial-of-service in kernel/futex.c
+References:
+Notes:
+Bugs:
+upstream: released (2.6.33-rc5) [7485d0d3]
+2.6.32-upstream-stable: released (2.6.32.5) [d4c893f2]
+linux-2.6: released (2.6.32-6) [bugfix/all/stable/2.6.32.5]
+2.6.26-lenny-security: N/A "vulnerable code not present"
+2.6.32-squeeze-security: released (2.6.32-6) [bugfix/all/stable/2.6.32.5]
Copied: retired/CVE-2010-kvm-null-ptr-dereference (from rev 1799, active/CVE-2010-kvm-null-ptr-dereference)
===================================================================
--- retired/CVE-2010-kvm-null-ptr-dereference (rev 0)
+++ retired/CVE-2010-kvm-null-ptr-dereference 2010-03-31 03:54:04 UTC (rev 1800)
@@ -0,0 +1,14 @@
+Candidate: needs to be requested
+Description:
+ kvm null ptr dereference
+References:
+ http://patchwork.kernel.org/patch/61310/
+Notes:
+Bugs:
+upstream: released (2.6.33-rc1) [e50212bb]
+2.6.32-upstream-stable: released (2.6.32.10) [454f8b167]
+linux-2.6: released (2.6.32-10) [bugfix/all/stable/2.6.32.10.patch]
+2.6.18-etch-security: N/A "kvm introduced in 2.6.25"
+2.6.24-etch-security: N/A "kvm introduced in 2.6.25"
+2.6.26-lenny-security: N/A "vulnerable code not yet present"
+2.6.32-squeeze-security: released (2.6.32-10) [bugfix/all/stable/2.6.32.10.patch]
Added: retired/CVE-2010-sparc-needs-execute-bit-check
===================================================================
--- retired/CVE-2010-sparc-needs-execute-bit-check (rev 0)
+++ retired/CVE-2010-sparc-needs-execute-bit-check 2010-03-31 03:54:04 UTC (rev 1800)
@@ -0,0 +1,13 @@
+Candidate:
+Description:
+ Execution possible in non-executable mappings on sparc in recent 2.6 kernels
+References:
+ http://marc.info/?l=linux-sparc&m=126662196902830&w=2
+ http://marc.info/?l=linux-sparc&m=126662159602378&w=2
+Notes:
+Bugs:
+upstream: released (2.6.33) [1f474646]
+2.6.32-upstream-stable: released (2.6.32.10) [26e272a3c]
+linux-2.6: released (2.6.32-10) [bugfix/all/stable/2.6.32.10.patch]
+2.6.26-lenny-security: N/A "vulnerable code not yet present"
+2.6.32-squeeze-security: released (2.6.32-10) [bugfix/all/stable/2.6.32.10.patch]
More information about the kernel-sec-discuss
mailing list