pinyo_villany blogja

GKH: linux v2.6.22.19-rc1

( pinyo_villany | 2008. 02. 23., szo – 00:46 )

[code]
This is the start of the stable review cycle for the 2.6.22.19 release.
There are 23 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line. If you wish to be a reviewer, please email stable<>kernel.org
to add your name to the list. If you want to be off the reviewer list,
also email us.

Responses should be made by Monday, Feb 24, 2008, 22:00:00 UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.22.19-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h
[code]

Debian Security : újabb Xorg frissítés

( pinyo_villany | 2008. 02. 17., v – 14:14 )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1466-2 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 19, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xorg-server, libxfont, xfree86
Vulnerability : several
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006

Kilátások Lenny-re

( pinyo_villany | 2008. 02. 14., cs – 19:03 )

Security hardening for Debian

Making the programs in a distribution more resistant to exploits—a process known as hardening—is a fairly common way to reduce the attack surface for the distribution. Many distributions have made an effort in this area, with some adding in an overall security architecture, like AppArmor for SUSE or SELinux for Red Hat and Fedora distributions. Debian is currently looking at enabling some hardening features, potentially throughout a large swath of packages that it distributes. The features being considered and the concerns raised provide an interesting look at the tradeoffs.
A posting to debian-devel-announce regarding hardening features for Lenny started the conversation. Those packages that are most susceptible—network services, packages that parse files from untrusted sources, or those that have been the subject of a security alert—should enable a set of security tools that will help deflect attacks against them. Various attacks rely upon certain characteristics of Linux binaries that allow them to be exploited. By altering the way the binaries are built, those particular threats can be mitigated.

AvdV: vmsplice exploits, stack protector and Makefiles

( pinyo_villany | 2008. 02. 12., k – 18:12 )

Hi,

I just read the excellent LWN writeup of the vmsplice security thing, and that got me
wondering why this attack wasn't stopped by the CONFIG_CC_STACKPROTECTOR option... because
it plain should have been...

some analysis later.. it turns out that the following line in the top level Makefile,
added by you in October 2007, entirely disables CONFIG_CC_STACKPROTECTOR ;(
With this line removed the exploit will be nicely stopped.

# Force gcc to behave correct even for buggy distributions
CFLAGS += $(call cc-option, -fno-stack-protector)

Now I realize that certain distros have patched gcc to compensate for their lack of distro
wide CFLAGS, and it's great to work around that... but would there be a way to NOT
disable this for CONFIG_CC_STACKPROTECTOR please? It would have made this
exploit not possible for those kernels that enable this feature (and that includes distros
like Fedora)

GKH: linux v2.6.22.17

( pinyo_villany | 2008. 02. 06., sze – 22:35 )

[code]
We (the -stable team) are announcing the release of the 2.6.22.17
kernel.

It contains a number of bugfixes, and all users of the 2.6.22 series are
encouraged to upgrade.

I'll also be replying to this message with a copy of the patch between
2.6.22.16 and 2.6.22.17

The updated 2.6.22.y git tree can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.22.y.git
and can be browsed at the normal kernel.org git web browser:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=s…

thanks,

greg k-h

--------

Makefile | 2
arch/powerpc/mm/hash_utils_64.c | 2
arch/sparc64/kernel/chmc.c | 16 +++--
arch/sparc64/kernel/entry.S | 12 +++
arch/sparc64/kernel/smp.c | 19 ++++--
arch/sparc64/mm/init.c | 29 ++++++---
drivers/acpi/dispatcher/dsobject.c | 91 ++++++++++++++++++++++++++++--
drivers/atm/nicstar.c | 19 ++----
drivers/char/drm/drm_vm.c | 2
drivers/char/mspec.c | 3
drivers/connector/cn_queue.c | 2
drivers/net/cassini.c | 45 +++-----------
drivers/net/cassini.h | 18 ++---
drivers/net/chelsio/cxgb2.c | 66 ++++++++++++++++-----
drivers/net/chelsio/pm3393.c | 112 ++++++++++++++-----------------------
drivers/net/chelsio/sge.c | 40 +++++--------
drivers/net/chelsio/sge.h | 3
drivers/net/usb/kaweth.c | 2
drivers/net/usb/mcs7830.c | 4 -
drivers/pci/quirks.c | 6 +
fs/exec.c | 6 +
fs/ncpfs/mmap.c | 3
include/asm-sparc64/hypervisor.h | 4 +
include/linux/pci_ids.h | 2
kernel/relay.c | 1
mm/mmap.c | 2
net/atm/mpc.c | 7 ++
net/ax25/ax25_in.c | 2
net/ipv4/devinet.c | 2
net/ipv4/ip_gre.c | 2
net/ipv4/route.c | 8 +-
net/irda/af_irda.c | 2
net/key/af_key.c | 14 +++-
net/netrom/nr_dev.c | 2
net/x25/x25_forward.c | 5 -
net/xfrm/xfrm_policy.c | 9 +-
sound/oss/via82cxxx_audio.c | 14 +---
sound/usb/usx2y/usX2Yhwdep.c | 2
sound/usb/usx2y/usx2yhwdeppcm.c | 2
39 files changed, 355 insertions(+), 227 deletions(-)

GKH: linux v2.6.22.17rc1

( pinyo_villany | 2008. 02. 04., h – 16:35 )

This is the start of the stable review cycle for the 2.6.22.17 release.
There are 27 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.

These patches are sent out with a number of different people on the
Cc: line. If you wish to be a reviewer, please email stable@kernel.org
to add your name to the list. If you want to be off the reviewer list,
also email us.

Responses should be made by Feb 5 2008, 00:00:00 UTC. Anything received
after that time might be too late.

GKH: linux v2.6.22.16

( pinyo_villany | 2008. 01. 14., h – 23:11 ) 

We (the -stable team) are announcing the release of the 2.6.22.16
kernel.

It contains a single fix for a problem that could cause a local user to
cause file system corruption on some types of filesystems.

All users of the 2.6.22 series are encouraged to upgrade.

I'll also be replying to this message with a copy of the patch between
2.6.22.15 and 2.6.22.16

The updated 2.6.22.y git tree can be found at:
        git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.6.22.y.git
and can be browsed at the normal kernel.org git web browser:
        http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=summary

thanks,

greg k-h
Feliratkozás a következőre: pinyo_villany blogja