On Sat, Apr 28, 2007 at 12:04:09AM +0200, Sven.Hartrumpf@FernUni-Hagen.de wrote:
Hello again.
Fri, 27 Apr 2007 22:53:57 +0200, meissner wrote:
Taking in new bugs for 9.3 stopped at 15th. The idea was to bring out all the running incidents until 30th.
Yes.
There likely will not be a kernel update for 9.3 anymore.
That surprises me. The latest kernel for SUSE 9.3 is 2.6.11.4-21.15-default, from 2006-11-28. Here are some kernel related CVEs which are not mentioned in any security updates for SUSE 9.3:
Lets review them briefly:
2006: CVE-2006-6057 Only when using the gfs2 fs, which we do not in 9.3.
-> No need to fix for 9.3
CVE-2006-6058 minix. Not really used anymore and a pretty hard to fix condition (due to the fs design). Also requires an image to be supplied.
We decided not to fix it. -> Will not be fixed for 9.3
CVE-2006-6921
So far no patch for this has been forthcoming from the kernel community and it does not seem to be taken as critical issue. -> WIll not be fixed for 9.3
CVE-2006-7051 Local dos by resource exhaustion / memory consumption.
Quite hard to fix and only a minor issue. Memory can be exhausted in lots of ways. -> Will not be fixed for 9.3
2007: CVE-2007-0005 Requires the omnikey cardman driver to be loaded and the device accessible to the exploiting local user.
-> Not yet clear if we will fix it for 9.3
CVE-2007-0772
SUSE Linux 9.3 did not contain the NFS2 ACL code exploited here. -> No need to fix for 9.3.
CVE-2007-0958 Minor issue, deep within the ELF loader code. Quite hard to backport and not cause breakage.
Fixed in mainline kernel for newer products. -> Will not be fixed in 9.3.
CVE-2007-1000
The bug does not affect the kernel in 9.3 (the buggy code is not there). -> No need to fix for 9.3.
CVE-2007-1217
Perhaps to be fixed for 9.3, but requires CAPI access. -> Status unclear
CVE-2007-1357
Needs AppleTalk protocol loaded, local network crash. -> Will be fixed for 9.3.
CVE-2007-1388
Code is not affected in SUSE Linux 9.3. -> No need to be fixed for 9.3.
CVE-2007-1496
Not known to us yet, evaluating. Looks minor.
CVE-2007-1497
Not known to us yet, evaluating. (Perhaps 9.3 is not affected.)
CVE-2007-1592
-> Will be fixed for 9.3.
CVE-2007-1730
2.6.20 and later kernels only. -> No need to be fixed for 9.3.
CVE-2007-1734
2.6.20 and later kernels only. -> No need to be fixed for 9.3.
CVE-2007-2172
I think this is a non-issue. RTA_MAX is larger than RTN_MAX, so this could not have any effect. And any potential "out of bounds access" would be - read/only to const memory -> no kernel information leak - with an index of "unsigned char", so at maximum 255 elements The CVE description is incorrect I guess.
I apologize if I listed some fixed or irrelevant ones.
See above. Some minor problems we will not fix. You missed CVE-2006-5753 which we will fix. After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org