[kernel] r4843 - patch-tracking
Dann Frazier
dannf at costa.debian.org
Sun Nov 20 00:03:38 UTC 2005
Author: dannf
Date: Sun Nov 20 00:03:37 2005
New Revision: 4843
Added:
patch-tracking/CAN-2005-0449
- copied, changed from r4839, patch-tracking/00boilerplate
patch-tracking/CVE-2005-2709
- copied unchanged from r4842, patch-tracking/cve-2005-2709-sysctl-unregistration-oops.patch
patch-tracking/ia64-buggy-preempt
- copied, changed from r4839, patch-tracking/00boilerplate
Removed:
patch-tracking/cve-2005-2709-sysctl-unregistration-oops.patch
Log:
add a couple pending ABI change issues & rename the CVE-2005-2709 file for consistency
Copied: patch-tracking/CAN-2005-0449 (from r4839, patch-tracking/00boilerplate)
==============================================================================
--- patch-tracking/00boilerplate (original)
+++ patch-tracking/CAN-2005-0449 Sun Nov 20 00:03:37 2005
@@ -1,12 +1,21 @@
-Candidate:
+Candidate: CAN-2005-0449
References:
+ URL:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0449
Description:
+ The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to
+ cause a denial of service (kernel crash) or bypass firewall rules via crafted
+ packets, which are not properly handled by the skb_checksum_help function.
Notes:
+ ** CHANGES ABI **
+ ipv4-fragment-queues-[1,2,2.1].dpatch are in sarge's 2.6.8.
+ ipv4-fragment-queues-[3,4].dpatch are awaiting an ABI event
+ .
+ 150_private_fragment_queues-[1,2].diff are awaiting a 2.4.27 ABI event
Bugs:
upstream:
2.6.14:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
+2.6.8-sarge-security: needed
+2.4.27-sarge-security: needed
2.6.8:
2.4.19-woody-security:
2.4.18-woody-security:
Copied: patch-tracking/ia64-buggy-preempt (from r4839, patch-tracking/00boilerplate)
==============================================================================
--- patch-tracking/00boilerplate (original)
+++ patch-tracking/ia64-buggy-preempt Sun Nov 20 00:03:37 2005
@@ -1,16 +1,36 @@
-Candidate:
+Candidate: needed
References:
Description:
-Notes:
+ 2.6.8 ia64 kernel w/ PREEMPT enabled permits local DoS (oops)
+Notes:
+ From: dann frazier <dannf at dannf.org>
+ To: team at security.debian.org
+ Subject: kernel-image-2.6.8-ia64 - disable preempt
+ Date: Fri, 25 Mar 2005 18:57:59 -0700
+ .
+ hey security team,
+ Its likely that kernel-image-2.6.8-ia64 (2.6.8-12) will be the version
+ that ships in sarge. This kernel has CONFIG_PREEMPT enabled, which has
+ at least one known issue in ptrace code that lets an unpriveleged
+ userspace process trigger an oops. This issue went away upstream by
+ 2.6.9, but its unclear what actually fixed it. SuSE/RedHat disable
+ PREEMPT for ia64 (or so I'm told), so they are not affected. This same
+ test case does _not_ fail on x86, which also has PREEMPT enabled for
+ sarge.
+ .
+ This issue has been known for a while, but I waited until after d-i
+ RC3 to upload it, since it changes the ABI. This fix is in the 2.6.8-13
+ build in unstable, but the release team is blocking this kernel from
+ normal sarge propagation to keep the kernel udebs in sync.
Bugs:
upstream:
-2.6.14:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
-2.6.8:
-2.4.19-woody-security:
-2.4.18-woody-security:
-2.4.17-woody-security:
-2.4.16-woody-security:
-2.4.17-woody-security-hppa:
-2.4.17-woody-security-ia64:
+2.6.14: N/A
+2.6.8-sarge-security: needed
+2.4.27-sarge-security: N/A
+2.6.8: needed
+2.4.19-woody-security: N/A
+2.4.18-woody-security: N/A
+2.4.17-woody-security: N/A
+2.4.16-woody-security: N/A
+2.4.17-woody-security-hppa: N/A
+2.4.17-woody-security-ia64: N/A
More information about the Kernel-svn-changes
mailing list