[kernel] r4976 - patch-tracking
Dann Frazier
dannf at costa.debian.org
Tue Dec 6 07:47:54 UTC 2005
Author: dannf
Date: Tue Dec 6 07:47:51 2005
New Revision: 4976
Modified:
patch-tracking/CVE-2003-0461
patch-tracking/CVE-2003-0462
patch-tracking/CVE-2003-0476
patch-tracking/CVE-2003-0501
Log:
updates
Modified: patch-tracking/CVE-2003-0461
==============================================================================
--- patch-tracking/CVE-2003-0461 (original)
+++ patch-tracking/CVE-2003-0461 Tue Dec 6 07:47:51 2005
@@ -1,16 +1,36 @@
Candidate: CVE-2003-0461
References:
-Description:
+ MISC:http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html
+ REDHAT:RHSA-2003:238
+ URL:http://www.redhat.com/support/errata/RHSA-2003-238.html
+ REDHAT:RHSA-2004:188
+ URL:http://www.redhat.com/support/errata/RHSA-2004-188.html
+ DEBIAN:DSA-358
+ URL:http://www.debian.org/security/2004/dsa-358
+ DEBIAN:DSA-423
+ URL:http://www.debian.org/security/2004/dsa-423
+ OVAL:OVAL304
+ URL:http://oval.mitre.org/oval/definitions/data/oval304.html
+ OVAL:OVAL997
+ URL:http://oval.mitre.org/oval/definitions/data/oval997.html
+ Description:
+ /proc/tty/driver/serial in Linux 2.4.x reveals the exact number
+ of characters used in serial links, which could allow local users
+ to obtain potentially sensitive information such as the length of
+ passwords.
Notes:
+ dannf> Here's the patches I used:
+ http://linux.bkbits.net:8080/linux-2.4/cset@41a6020dX1GoVx_Eydy1jUOqc11tpw?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/proc_tty.c
+ http://linux.bkbits.net:8080/linux-2.4/cset@41aca810DvutJ8aEj43OuUqJ4e1EIw?nav=index.html|src/|src/include|src/include/linux|related/include/linux/proc_fs.h
Bugs:
-upstream:
-2.6.14:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
-2.6.8:
-2.4.19-woody-security:
+upstream: released (2.4.29-pre2, 2.6.1)
+2.6.14: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: released (2.4.27-1)
+2.6.8: N/A
+2.4.19-woody-security: pending (2.4.19-4.woody3)
2.4.18-woody-security: released (2.4.18-10)
-2.4.17-woody-security:
-2.4.16-woody-security:
-2.4.17-woody-security-hppa:
+2.4.17-woody-security: pending (2.4.17-1woody4)
+2.4.16-woody-security: pending (2.4.16-1woody3)
+2.4.17-woody-security-hppa: pending (32.5)
2.4.17-woody-security-ia64: released (011226.14.1)
Modified: patch-tracking/CVE-2003-0462
==============================================================================
--- patch-tracking/CVE-2003-0462 (original)
+++ patch-tracking/CVE-2003-0462 Tue Dec 6 07:47:51 2005
@@ -1,6 +1,20 @@
Candidate: CVE-2003-0462
References:
+ REDHAT:RHSA-2003:198
+ URL:http://www.redhat.com/support/errata/RHSA-2003-198.html
+ REDHAT:RHSA-2003:238
+ URL:http://www.redhat.com/support/errata/RHSA-2003-238.html
+ DEBIAN:DSA-358
+ URL:http://www.debian.org/security/2004/dsa-358
+ DEBIAN:DSA-423
+ URL:http://www.debian.org/security/2004/dsa-423
+ OVAL:OVAL309
+ URL:http://oval.mitre.org/oval/definitions/data/oval309.html
Description:
+ A race condition in the way env_start and env_end pointers are
+ initialized in the execve system call and used in fs/proc/base.c
+ on Linux 2.4 allows local users to cause a denial of service
+ (crash).
Notes:
Bugs:
upstream:
Modified: patch-tracking/CVE-2003-0476
==============================================================================
--- patch-tracking/CVE-2003-0476 (original)
+++ patch-tracking/CVE-2003-0476 Tue Dec 6 07:47:51 2005
@@ -1,6 +1,27 @@
Candidate: CVE-2003-0476
References:
+ BUGTRAQ:20030626 Linux 2.4.x execve() file read race vulnerability
+ URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105664924024009&w=2
+ MANDRAKE:MDKSA-2003:074
+ URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074
+ REDHAT:RHSA-2003:238
+ URL:http://www.redhat.com/support/errata/RHSA-2003-238.html
+ REDHAT:RHSA-2003:368
+ URL:http://www.redhat.com/support/errata/RHSA-2003-368.html
+ REDHAT:RHSA-2003:408
+ URL:http://www.redhat.com/support/errata/RHSA-2003-408.html
+ SUSE:SuSE-SA:2003:034
+ DEBIAN:DSA-358
+ URL:http://www.debian.org/security/2004/dsa-358
+ DEBIAN:DSA-423
+ URL:http://www.debian.org/security/2004/dsa-423
+ OVAL:OVAL327
+ URL:http://oval.mitre.org/oval/definitions/data/oval327.html
Description:
+ The execve system call in Linux 2.4.x records the file
+ descriptor of the executable process in the file table of the
+ calling process, which allows local users to gain read access to
+ restricted file descriptors.
Notes:
Bugs:
upstream:
Modified: patch-tracking/CVE-2003-0501
==============================================================================
--- patch-tracking/CVE-2003-0501 (original)
+++ patch-tracking/CVE-2003-0501 Tue Dec 6 07:47:51 2005
@@ -1,7 +1,26 @@
Candidate: CVE-2003-0501
References:
+ BUGTRAQ:20030620 Linux /proc sensitive information disclosure
+ URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105621758104242
+ REDHAT:RHSA-2003:198
+ URL:http://www.redhat.com/support/errata/RHSA-2003-198.html
+ REDHAT:RHSA-2003:238
+ URL:http://www.redhat.com/support/errata/RHSA-2003-238.html
+ SUSE:SuSE-SA:2003:034
+ DEBIAN:DSA-358
+ URL:http://www.debian.org/security/2004/dsa-358
+ DEBIAN:DSA-423
+ URL:http://www.debian.org/security/2004/dsa-423
+ OVAL:OVAL328
+ URL:http://oval.mitre.org/oval/definitions/data/oval328.html
Description:
+ The /proc filesystem in Linux allows local users to obtain
+ sensitive information by opening various entries in /proc/self
+ before executing a setuid program, which causes the program to
+ fail to change the ownership and permissions of those entries.
Notes:
+ Here's a link to the patch; but bkbits is currently busted.
+ http://bkbits.net:8080/linux-2.4/cset@3f2946f3RQGVjd-F2uGG6ifd8nHJNg?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/proc_misc.c
Bugs:
upstream:
2.6.14:
More information about the Kernel-svn-changes
mailing list