FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 05-05-2008, 03:59 PM
Stefan Bader
 
Default CVE differences between 2.6.24.y and Hardy

Tim Gardner wrote:

> ACK from me. Please apply. While you are at it, can you investigate the
> CVE differences?
>
> (cd ubuntu-hardy; git log) > hardy.log
> (cd linux-2.6.24.y; git log) > stable_24.log
> cat hardy.log stable_24.log | grep "CVE-"|sort|uniq
>
> rtg

Sorry, it took a bit, but I got the differences together. !here seems to
be one CVE in Hardy that isn't in stable (CVE-2008-0001). Otherwise
Hardy misses only the latest three CVEs.

Stefan

+CVE-2008-1375: Fix dnotify/close race
+CVE-2008-1675: tehuti: move ioctl perm check closer to function start
+CVE-2008-1675: tehuti: check register size
*CVE-2008-0010: splice: missing user pointer access verification
*CVE-2008-0009: splice: missing user pointer access verification
*CVE-2008-0007: vm audit: add VM_DONTEXPAND to mmap for drivers that need it
-CVE-2008-0001: Use access mode instead of open flags to determine needed permissions
*CVE-2007-4573: x86_64: Zero extend all registers after ptrace in 32bit entry path.
*CVE-2007-3105: random: fix bound check ordering
*CVE-2007-2876: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference
*CVE-2007-0005: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver
*CVE-2006-6058: limit minixfs printks on corrupted dir i_size
*CVE-2006-5753: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return value
*CVE-2006-4145: Fix possible UDF deadlock and memory corruption
*CVE-2006-4093: Clear HID0[en_attn] at CPU init time on PPC970
*CVE-2006-3745: Fix sctp privilege elevation
*CVE-2006-2451: [PATCH] Fix prctl privilege escalation and suid_dumpable
*CVE-2006-1864: [PATCH] smbfs chroot issue
*CVE-2006-1527: [NETFILTER]: xt_sctp: fix endless loop caused by 0 chunk length
*CVE-2006-1524: [PATCH] shmat: stop mprotect from giving write permission to a readonly attachment
*CVE-2006-1522: [Security] Keys: Fix oops when adding key to non-keyring
*CVE-2006-1343: [NETFILTER]: Fix small information leak in SO_ORIGINAL_DST
*CVE-2006-1056: [PATCH] i386/x86-64: Fix x87 information leak between processes
*CVE-2006-0744: [PATCH] x86_64: When user could have changed RIP always force IRET
*CVE-2006-0039: [NETFILTER]: Fix do_add_counters race, possible oops or info leak
*CVE-2005-0504: old buffer overflow in moxa driver
*CVE-2005-3358: [PATCH] Make sure interleave masks have at least one node set
*CVE-2005-2709: [PATCH] Fix sysctl unregistration oops
*CVE-2004-1073: [PATCH] core-dumping unreadable binaries via PT_INTERP
--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 05-05-2008, 04:54 PM
Tim Gardner
 
Default CVE differences between 2.6.24.y and Hardy

Stefan Bader wrote:
> Tim Gardner wrote:
>
>> ACK from me. Please apply. While you are at it, can you investigate the
>> CVE differences?
>>
>> (cd ubuntu-hardy; git log) > hardy.log
>> (cd linux-2.6.24.y; git log) > stable_24.log
>> cat hardy.log stable_24.log | grep "CVE-"|sort|uniq
>>
>> rtg
>
> Sorry, it took a bit, but I got the differences together. !here seems to
> be one CVE in Hardy that isn't in stable (CVE-2008-0001). Otherwise
> Hardy misses only the latest three CVEs.
>
> Stefan
>
>

Stefan - thanks for this list. I've forwarded it to Kees Cook who is
currently working on the Hardy security update.

rtg
--
Tim Gardner tim.gardner@ubuntu.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 12:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org