[kernel] r18096 - in dists/lenny-security/linux-2.6/debian/patches: bugfix/all features/all/openvz features/all/vserver

Fri Sep 16 17:54:37 UTC 2011

Author: dannf
Date: Fri Sep 16 17:54:35 2011
New Revision: 18096

Log:
previous commit of CVE-2011-3188.patch excluded new files; fixed
Also, adjust openvz/vserver patches to apply on top of CVE-2011-3188.patch

Modified:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch
   dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch

Modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch
==============================================================================

--- dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch	Fri Sep 16 03:00:31 2011	(r18095)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/CVE-2011-3188.patch	Fri Sep 16 17:54:35 2011	(r18096)
@@ -115,10 +115,10 @@
  static inline void le32_to_cpu_array(u32 *buf, unsigned int words)
  {
 diff --git a/drivers/char/random.c b/drivers/char/random.c
-index 1d3de5c..46984b4 100644
+index 1d3de5c..10c141a 100644
 --- a/drivers/char/random.c
 +++ b/drivers/char/random.c
-@@ -1295,328 +1295,14 @@ ctl_table random_table[] = {
+@@ -1295,328 +1295,13 @@ ctl_table random_table[] = {
  };
  #endif 	/* CONFIG_SYSCTL */
  
@@ -280,18 +280,18 @@
 -}
 -
 -static inline struct keydata *get_keyptr(void)
--{
++static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
++static int __init random_int_secret_init(void)
+ {
 -	struct keydata *keyptr = &ip_keydata[ip_cnt & 1];
 -
 -	smp_rmb();
 -
 -	return keyptr;
 -}
-+static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
- 
+-
 -static __init int seqgen_init(void)
-+static int __init random_int_secret_init(void)
- {
+-{
 -	rekey_seq_generator(NULL);
 +	get_random_bytes(random_int_secret, sizeof(random_int_secret));
  	return 0;
@@ -451,7 +451,7 @@
  
  /*
   * Get a random word for internal kernel use only. Similar to urandom but
-@@ -1624,17 +1310,15 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
+@@ -1624,17 +1309,15 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
   * value is not cryptographically secure but for several uses the cost of
   * depleting entropy is too high
   */
@@ -511,6 +511,32 @@
  #ifndef MODULE
  extern const struct file_operations random_fops, urandom_fops;
  #endif
+diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h
+new file mode 100644
+index 0000000..d97f689
+--- /dev/null
++++ b/include/net/secure_seq.h
+@@ -0,0 +1,20 @@
++#ifndef _NET_SECURE_SEQ
++#define _NET_SECURE_SEQ
++
++#include <linux/types.h>
++
++extern __u32 secure_ip_id(__be32 daddr);
++extern __u32 secure_ipv6_id(const __be32 daddr[4]);
++extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
++extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++				      __be16 dport);
++extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++					__be16 sport, __be16 dport);
++extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++					  __be16 sport, __be16 dport);
++extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++				       __be16 sport, __be16 dport);
++extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++					 __be16 sport, __be16 dport);
++
++#endif /* _NET_SECURE_SEQ */
 diff --git a/lib/Makefile b/lib/Makefile
 index 74b0cfb..44721c7 100644
 --- a/lib/Makefile
@@ -524,6 +550,385 @@
  	 proportions.o prio_heap.o ratelimit.o
  
  lib-$(CONFIG_MMU) += ioremap.o
+diff --git a/lib/md5.c b/lib/md5.c
+new file mode 100644
+index 0000000..c777180
+--- /dev/null
++++ b/lib/md5.c
+@@ -0,0 +1,95 @@
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <linux/cryptohash.h>
++
++#define F1(x, y, z)	(z ^ (x & (y ^ z)))
++#define F2(x, y, z)	F1(z, x, y)
++#define F3(x, y, z)	(x ^ y ^ z)
++#define F4(x, y, z)	(y ^ (x | ~z))
++
++#define MD5STEP(f, w, x, y, z, in, s) \
++	(w += f(x, y, z) + in, w = (w<<s | w>>(32-s)) + x)
++
++void md5_transform(__u32 *hash, __u32 const *in)
++{
++	u32 a, b, c, d;
++
++	a = hash[0];
++	b = hash[1];
++	c = hash[2];
++	d = hash[3];
++
++	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
++	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
++	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
++	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
++	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
++	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
++	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
++	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
++	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
++	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
++	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
++	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
++	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
++	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
++	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
++	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
++
++	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
++	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
++	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
++	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
++	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
++	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
++	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
++	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
++	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
++	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
++	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
++	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
++	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
++	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
++	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
++	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
++
++	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
++	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
++	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
++	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
++	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
++	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
++	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
++	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
++	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
++	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
++	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
++	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
++	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
++	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
++	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
++	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
++
++	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
++	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
++	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
++	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
++	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
++	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
++	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
++	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
++	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
++	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
++	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
++	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
++	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
++	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
++	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
++	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
++
++	hash[0] += a;
++	hash[1] += b;
++	hash[2] += c;
++	hash[3] += d;
++}
++EXPORT_SYMBOL(md5_transform);
+diff --git a/net/core/Makefile b/net/core/Makefile
+index b1332f6..a7fbc26 100644
+--- a/net/core/Makefile
++++ b/net/core/Makefile
+@@ -3,7 +3,7 @@
+ #
+ 
+ obj-y := sock.o request_sock.o skbuff.o iovec.o datagram.o stream.o scm.o \
+-	 gen_stats.o gen_estimator.o net_namespace.o
++	 gen_stats.o gen_estimator.o net_namespace.o secure_seq.o
+ 
+ obj-$(CONFIG_SYSCTL) += sysctl_net_core.o
+ 
+diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
+new file mode 100644
+index 0000000..45329d7
+--- /dev/null
++++ b/net/core/secure_seq.c
+@@ -0,0 +1,184 @@
++#include <linux/kernel.h>
++#include <linux/init.h>
++#include <linux/cryptohash.h>
++#include <linux/module.h>
++#include <linux/cache.h>
++#include <linux/random.h>
++#include <linux/hrtimer.h>
++#include <linux/ktime.h>
++#include <linux/string.h>
++
++#include <net/secure_seq.h>
++
++static u32 net_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
++
++static int __init net_secret_init(void)
++{
++	get_random_bytes(net_secret, sizeof(net_secret));
++	return 0;
++}
++late_initcall(net_secret_init);
++
++static u32 seq_scale(u32 seq)
++{
++	/*
++	 *	As close as possible to RFC 793, which
++	 *	suggests using a 250 kHz clock.
++	 *	Further reading shows this assumes 2 Mb/s networks.
++	 *	For 10 Mb/s Ethernet, a 1 MHz clock is appropriate.
++	 *	For 10 Gb/s Ethernet, a 1 GHz clock should be ok, but
++	 *	we also need to limit the resolution so that the u32 seq
++	 *	overlaps less than one time per MSL (2 minutes).
++	 *	Choosing a clock of 64 ns period is OK. (period of 274 s)
++	 */
++	return seq + (ktime_to_ns(ktime_get_real()) >> 6);
++}
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++__u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++				   __be16 sport, __be16 dport)
++{
++	u32 secret[MD5_MESSAGE_BYTES / 4];
++	u32 hash[MD5_DIGEST_WORDS];
++	u32 i;
++
++	memcpy(hash, saddr, 16);
++	for (i = 0; i < 4; i++)
++		secret[i] = net_secret[i] + daddr[i];
++	secret[4] = net_secret[4] +
++		(((__force u16)sport << 16) + (__force u16)dport);
++	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++		secret[i] = net_secret[i];
++
++	md5_transform(hash, secret);
++
++	return seq_scale(hash[0]);
++}
++EXPORT_SYMBOL(secure_tcpv6_sequence_number);
++
++u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++			       __be16 dport)
++{
++	u32 secret[MD5_MESSAGE_BYTES / 4];
++	u32 hash[MD5_DIGEST_WORDS];
++	u32 i;
++
++	memcpy(hash, saddr, 16);
++	for (i = 0; i < 4; i++)
++		secret[i] = net_secret[i] + (__force u32) daddr[i];
++	secret[4] = net_secret[4] + (__force u32)dport;
++	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++		secret[i] = net_secret[i];
++
++	md5_transform(hash, secret);
++
++	return hash[0];
++}
++#endif
++
++#ifdef CONFIG_INET
++__u32 secure_ip_id(__be32 daddr)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++
++	hash[0] = (__force __u32) daddr;
++	hash[1] = net_secret[13];
++	hash[2] = net_secret[14];
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	return hash[0];
++}
++
++__u32 secure_ipv6_id(const __be32 daddr[4])
++{
++	__u32 hash[4];
++
++	memcpy(hash, daddr, 16);
++	md5_transform(hash, net_secret);
++
++	return hash[0];
++}
++
++__u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
++				 __be16 sport, __be16 dport)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++
++	hash[0] = (__force u32)saddr;
++	hash[1] = (__force u32)daddr;
++	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	return seq_scale(hash[0]);
++}
++
++u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++
++	hash[0] = (__force u32)saddr;
++	hash[1] = (__force u32)daddr;
++	hash[2] = (__force u32)dport ^ net_secret[14];
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	return hash[0];
++}
++EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
++#endif
++
++#if defined(CONFIG_IP_DCCP) || defined(CONFIG_IP_DCCP_MODULE)
++u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
++				__be16 sport, __be16 dport)
++{
++	u32 hash[MD5_DIGEST_WORDS];
++	u64 seq;
++
++	hash[0] = (__force u32)saddr;
++	hash[1] = (__force u32)daddr;
++	hash[2] = ((__force u16)sport << 16) + (__force u16)dport;
++	hash[3] = net_secret[15];
++
++	md5_transform(hash, net_secret);
++
++	seq = hash[0] | (((u64)hash[1]) << 32);
++	seq += ktime_to_ns(ktime_get_real());
++	seq &= (1ull << 48) - 1;
++
++	return seq;
++}
++EXPORT_SYMBOL(secure_dccp_sequence_number);
++
++#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
++u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
++				  __be16 sport, __be16 dport)
++{
++	u32 secret[MD5_MESSAGE_BYTES / 4];
++	u32 hash[MD5_DIGEST_WORDS];
++	u64 seq;
++	u32 i;
++
++	memcpy(hash, saddr, 16);
++	for (i = 0; i < 4; i++)
++		secret[i] = net_secret[i] + daddr[i];
++	secret[4] = net_secret[4] +
++		(((__force u16)sport << 16) + (__force u16)dport);
++	for (i = 5; i < MD5_MESSAGE_BYTES / 4; i++)
++		secret[i] = net_secret[i];
++
++	md5_transform(hash, secret);
++
++	seq = hash[0] | (((u64)hash[1]) << 32);
++	seq += ktime_to_ns(ktime_get_real());
++	seq &= (1ull << 48) - 1;
++
++	return seq;
++}
++EXPORT_SYMBOL(secure_dccpv6_sequence_number);
++#endif
++#endif
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index 37d27bc..b8ace9c 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -25,6 +25,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/tcp_states.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+ 
+ #include "ackvec.h"
+ #include "ccid.h"
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index f7fe2a5..624fc34 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -28,6 +28,7 @@
+ #include <net/transp_v6.h>
+ #include <net/ip6_checksum.h>
+ #include <net/xfrm.h>
++#include <net/secure_seq.h>
+ 
+ #include "dccp.h"
+ #include "ipv6.h"
+@@ -69,13 +70,7 @@ static inline void dccp_v6_send_check(struct sock *sk, int unused_value,
+ 	dh->dccph_checksum = dccp_v6_csum_finish(skb, &np->saddr, &np->daddr);
+ }
+ 
+-static inline __u32 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
+-						  __be16 sport, __be16 dport   )
+-{
+-	return secure_tcpv6_sequence_number(saddr, daddr, sport, dport);
+-}
+-
+-static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
++static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
+ {
+ 	return secure_dccpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
+ 					     ipv6_hdr(skb)->saddr.s6_addr32,
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 2023d37..5cd9f73 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -21,6 +21,7 @@
+ 
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+ 
+ /*
+diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
+index af99519..53f90d8 100644
+--- a/net/ipv4/inetpeer.c
++++ b/net/ipv4/inetpeer.c
+@@ -21,6 +21,7 @@
+ #include <linux/net.h>
+ #include <net/ip.h>
+ #include <net/inetpeer.h>
++#include <net/secure_seq.h>
+ 
+ /*
+  *  Theory of operations.
+diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c
+index 91537f1..3766ea1 100644
+--- a/net/ipv4/netfilter/nf_nat_proto_common.c
++++ b/net/ipv4/netfilter/nf_nat_proto_common.c
+@@ -12,6 +12,7 @@
+ #include <linux/ip.h>
+ 
+ #include <linux/netfilter.h>
++#include <net/secure_seq.h>
+ #include <net/netfilter/nf_nat.h>
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_rule.h>
 diff --git a/net/ipv4/route.c b/net/ipv4/route.c
 index 96be336..8330b55 100644
 --- a/net/ipv4/route.c
@@ -536,3 +941,39 @@
  
  #define RT_FL_TOS(oldflp) \
      ((u32)(oldflp->fl4_tos & (IPTOS_RT_MASK | RTO_ONLINK)))
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index ffe869a..c39f222 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -72,6 +72,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/xfrm.h>
+ #include <net/netdma.h>
++#include <net/secure_seq.h>
+ 
+ #include <linux/inet.h>
+ #include <linux/ipv6.h>
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index 580014a..e155689 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -20,6 +20,7 @@
+ #include <net/inet_connection_sock.h>
+ #include <net/inet_hashtables.h>
+ #include <net/inet6_hashtables.h>
++#include <net/secure_seq.h>
+ #include <net/ip.h>
+ 
+ void __inet6_hash(struct sock *sk)
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f2e7b37..6361e40 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -61,6 +61,7 @@
+ #include <net/timewait_sock.h>
+ #include <net/netdma.h>
+ #include <net/inet_common.h>
++#include <net/secure_seq.h>
+ 
+ #include <asm/uaccess.h>
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Sep 16 03:00:31 2011	(r18095)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Fri Sep 16 17:54:35 2011	(r18096)
@@ -77442,9 +77442,9 @@
 index ffe869a..ca6b5d3 100644
 --- a/net/ipv4/tcp_ipv4.c
 +++ b/net/ipv4/tcp_ipv4.c
-@@ -73,6 +73,8 @@
- #include <net/xfrm.h>
+@@ -74,6 +74,8 @@
  #include <net/netdma.h>
+ #include <net/secure_seq.h>
  
 +#include <bc/tcp.h>
 +
@@ -79339,9 +79339,9 @@
 index 40ea9c3..cdc8697 100644
 --- a/net/ipv6/tcp_ipv6.c
 +++ b/net/ipv6/tcp_ipv6.c
-@@ -62,6 +62,8 @@
- #include <net/netdma.h>
+@@ -63,6 +63,8 @@
  #include <net/inet_common.h>
+ #include <net/secure_seq.h>
  
 +#include <bc/tcp.h>
 +

Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch	Fri Sep 16 03:00:31 2011	(r18095)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch	Fri Sep 16 17:54:35 2011	(r18096)
@@ -26700,10 +26700,10 @@
  				if (r->id.idiag_sport != tw->tw_sport &&
 --- a/net/ipv4/inet_hashtables.c	2008-07-14 17:22:58.000000000 -0400
 +++ a/net/ipv4/inet_hashtables.c	2008-07-29 17:27:07.000000000 -0400
-@@ -21,6 +21,7 @@
- 
+@@ -22,6 +22,7 @@
  #include <net/inet_connection_sock.h>
  #include <net/inet_hashtables.h>
+ #include <net/secure_seq.h>
 +#include <net/route.h>
  #include <net/ip.h>
  

