Any chance of pushing the F-8 kernel with that security fix
(CVE-2008-1669) into stable?

--
Bojan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Bojan Smojver <bojan <at> rexursive.com> writes:

> Any chance of pushing the F-8 kernel with that security fix
> (CVE-2008-1669) into stable?

I will officially stop caring about this tomorrow (he, he :-), however, this
doesn't look any better:

https://admin.fedoraproject.org/updates/F9/security

According to this:

http://lwn.net/Articles/281689/

We should all be on 2.6.25.3. Can someone confirm F9 kernels are not affected by
these unspecified security issues fixed in .3?

--
Bojan




--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Bojan Smojver wrote:

Bojan Smojver <bojan <at> rexursive.com> writes:



Any chance of pushing the F-8 kernel with that security fix
(CVE-2008-1669) into stable?



I will officially stop caring about this tomorrow (he, he :-), however, this
doesn't look any better:

https://admin.fedoraproject.org/updates/F9/security


https://admin.fedoraproject.org/updates/search/CVE-2008-1669 shows nothing.

The crazy thing is all the bugs that the CVE tracking bug depends on,
are embargo'd (most likely for EL-3-5+update releases or something).


Can't see anything in koji etc. Now I'm not saying that there is no
reason to worry, but it (cuse the pun) bugs me that that as soon as a
CVE comes out, it must be patched yesterday. The embargo on the tracker
bug wasn't open to Fedora contributors and was only released on the 7th.


It's a pity we live in a society of fear, but I understand.

- Nigel

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Nigel Jones <dev <at> nigelj.com> writes:

> https://admin.fedoraproject.org/updates/search/CVE-2008-1669 shows nothing.

Although that particular one has been fixed by building 2.6.24.7:

http://lwn.net/Articles/281225/
http://koji.fedoraproject.org/koji/buildinfo?buildID=48407

However, F9 is 2.6.25 based, so that isn't going to apply. And, 2.6.24 isn't
getting any more updates either and this says that everyone on 2.6.24 should go
to 2.6.25.3, which has fixes to yet another two security problems:

http://lwn.net/Articles/281689/

I would think these kernel rebuilds shouldn't be all that difficult to do and I
don't know what the holdup is. When build time is added to push to stable time,
it all adds up to significant number of days for Fedora having an unpatched
kernel containing known security problems.

--
Bojan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Le Mar 13 mai 2008 09:21, Bojan Smojver a écrit :
>
> However, F9 is 2.6.25 based, so that isn't going to apply. And, 2.6.24
> isn't
> getting any more updates either and this says that everyone on 2.6.24
> should go
> to 2.6.25.3, which has fixes to yet another two security problems:

At least one of the 2.6.25.3 is already in the F9 kernel (it was a F9
blocker). Don't know if it's one of the two security bits though.

--
Nicolas Mailhot

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Nicolas Mailhot <nicolas.mailhot <at> laposte.net> writes:

> At least one of the 2.6.25.3 is already in the F9 kernel (it was a F9
> blocker).

I'm guessing you are referring to CVE-2008-1675, which was fixed in
2.6.25-14.fc9:

http://koji.fedoraproject.org/koji/buildinfo?buildID=47791

> Don't know if it's one of the two security bits though.

I think not. They were discover after that build.

--
Bojan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Le Mar 13 mai 2008 10:28, Bojan Smojver a écrit :
> Nicolas Mailhot <nicolas.mailhot <at> laposte.net> writes:
>
>> At least one of the 2.6.25.3 is already in the F9 kernel (it was a
>> F9
>> blocker).
>
> I'm guessing you are referring to CVE-2008-1675, which was fixed in
> 2.6.25-14.fc9:

I'm refering to the 2.6.25-13.fc9 Oops fix

--
Nicolas Mailhot

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Tuesday 13 May 2008 03:49:44 am Nicolas Mailhot wrote:
> Le Mar 13 mai 2008 09:21, Bojan Smojver a écrit :
> > However, F9 is 2.6.25 based, so that isn't going to apply. And, 2.6.24
> > isn't
> > getting any more updates either and this says that everyone on 2.6.24
> > should go
> > to 2.6.25.3, which has fixes to yet another two security problems:
>
> At least one of the 2.6.25.3 is already in the F9 kernel (it was a F9
> blocker). Don't know if it's one of the two security bits though.

A 2.6.25.3 kernel is already built and waiting in the wings.

http://koji.fedoraproject.org/packages/kernel/2.6.25.3/18.fc9

--
Jarod Wilson
jwilson@redhat.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Jarod Wilson <jwilson <at> redhat.com> writes:

> A 2.6.25.3 kernel is already built and waiting in the wings.
>
> http://koji.fedoraproject.org/packages/kernel/2.6.25.3/18.fc9

Wonderful! Thanks.

--
Bojan



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list