[kernel] r4843 - patch-tracking

Dann Frazier dannf at costa.debian.org
Sun Nov 20 00:03:38 UTC 2005 

Author: dannf
Date: Sun Nov 20 00:03:37 2005
New Revision: 4843

Added:
   patch-tracking/CAN-2005-0449
      - copied, changed from r4839, patch-tracking/00boilerplate
   patch-tracking/CVE-2005-2709
      - copied unchanged from r4842, patch-tracking/cve-2005-2709-sysctl-unregistration-oops.patch
   patch-tracking/ia64-buggy-preempt
      - copied, changed from r4839, patch-tracking/00boilerplate
Removed:
   patch-tracking/cve-2005-2709-sysctl-unregistration-oops.patch
Log:
add a couple pending ABI change issues & rename the CVE-2005-2709 file for consistency

Copied: patch-tracking/CAN-2005-0449 (from r4839, patch-tracking/00boilerplate)
==============================================================================
--- patch-tracking/00boilerplate	(original)
+++ patch-tracking/CAN-2005-0449	Sun Nov 20 00:03:37 2005
@@ -1,12 +1,21 @@
-Candidate: 
+Candidate: CAN-2005-0449
 References: 
+ URL:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0449
 Description: 
+ The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to
+ cause a denial of service (kernel crash) or bypass firewall rules via crafted
+ packets, which are not properly handled by the skb_checksum_help function.
 Notes: 
+ ** CHANGES ABI **
+ ipv4-fragment-queues-[1,2,2.1].dpatch are in sarge's 2.6.8.
+ ipv4-fragment-queues-[3,4].dpatch are awaiting an ABI event
+ .
+ 150_private_fragment_queues-[1,2].diff are awaiting a 2.4.27 ABI event
 Bugs: 
 upstream: 
 2.6.14: 
-2.6.8-sarge-security: 
-2.4.27-sarge-security: 
+2.6.8-sarge-security: needed
+2.4.27-sarge-security: needed
 2.6.8: 
 2.4.19-woody-security: 
 2.4.18-woody-security: 

Copied: patch-tracking/ia64-buggy-preempt (from r4839, patch-tracking/00boilerplate)
==============================================================================
--- patch-tracking/00boilerplate	(original)
+++ patch-tracking/ia64-buggy-preempt	Sun Nov 20 00:03:37 2005
@@ -1,16 +1,36 @@
-Candidate: 
+Candidate: needed
 References: 
 Description: 
-Notes: 
+ 2.6.8 ia64 kernel w/ PREEMPT enabled permits local DoS (oops)
+Notes:
+ From: 	dann frazier <dannf at dannf.org>
+ To: 	team at security.debian.org
+ Subject: 	kernel-image-2.6.8-ia64 - disable preempt
+ Date: 	Fri, 25 Mar 2005 18:57:59 -0700
+ .
+ hey security team,
+   Its likely that kernel-image-2.6.8-ia64 (2.6.8-12) will be the version
+ that ships in sarge.  This kernel has CONFIG_PREEMPT enabled, which has
+ at least one known issue in ptrace code that lets an unpriveleged
+ userspace process trigger an oops.  This issue went away upstream by
+ 2.6.9, but its unclear what actually fixed it.  SuSE/RedHat disable
+ PREEMPT for ia64 (or so I'm told), so they are not affected.  This same
+ test case does _not_ fail on x86, which also has PREEMPT enabled for
+ sarge.
+ .
+   This issue has been known for a while, but I waited until after d-i
+ RC3 to upload it, since it changes the ABI.  This fix is in the 2.6.8-13
+ build in unstable, but the release team is blocking this kernel from
+ normal sarge propagation to keep the kernel udebs in sync.
 Bugs: 
 upstream: 
-2.6.14: 
-2.6.8-sarge-security: 
-2.4.27-sarge-security: 
-2.6.8: 
-2.4.19-woody-security: 
-2.4.18-woody-security: 
-2.4.17-woody-security: 
-2.4.16-woody-security: 
-2.4.17-woody-security-hppa: 
-2.4.17-woody-security-ia64: 
+2.6.14: N/A
+2.6.8-sarge-security: needed
+2.4.27-sarge-security: N/A
+2.6.8: needed
+2.4.19-woody-security: N/A
+2.4.18-woody-security: N/A
+2.4.17-woody-security: N/A
+2.4.16-woody-security: N/A
+2.4.17-woody-security-hppa: N/A
+2.4.17-woody-security-ia64: N/A

More information about the Kernel-svn-changes mailing list