I've published two repositories for SUSE Linux 10.1: * An updated packagemanagement stack * New kernel 2.6.16.21 We plan to release this soon (this week!) as official update and appreciate any testing, please report bugs you find on bugzilla.novell.com and CC me on the report (as <aj at novell dot com>). The packages and the changes itself have been tested intensively during the last weeks inside Novell. Since these are large updates, we like to have additional testing of these as a patch and on a variety of systems and environments. Package Management Stack Update =============================== In addition to the already released fixes for the package management stack, we have now fixed further bugs. The most important changes are: * Fixes for autorefresh (#186115, #181613, #181182) * Do not leave stall tmp files (#178292) * Empty catalogs before filling them (#181602) * Handle passwords in URLs (#186978, #186842, #186804) * Handle signing in zen-updater, zmd * Fix some bugs in interaction of libzypp and zmd The repository URL is: ftp://ftp.suse.com/pub/people/aj/10.1-packagemanagement-update-test (please use a mirror of ftp.suse.com if possible.) Kernel Update ============= Please apply the package management stack before applying the kernel update. This is an update to Kernel 2.16.21 together with a number of bug fixes that we developed during the last weeks. The kernel changes its ABI completely, so all the kernel-module-packages (kmp) that you have installed, need to be updated as well. The interface between kernel and AppArmor has been changed as well, and therefore you have to update AppArmor as well (or disable it). Xen is updated as - as well as udev, open-iscsi, multipath-tools and mkinitrd. The repository URL is: ftp://ftp.suse.com/pub/people/aj/10.1-kernel-update-test (please use a mirror of ftp.suse.com if possible.) Note on AppArmor ---------------- Since the update adds new flags to the profile syntax, you likely should review and adapt your profiles. - If a profile allowed unconfined execution ("ux") of a child binary it was possible to inject code via LD_PRELOAD or similar environment variables into this child binary and execute code without confiment. We have added new flag "Ux" (and "Px" for "px") which makes the executed child clear the most critical environment variables (similar to setuid programs). Special care needs to be taken nevertheless that this interaction between parent and child programs can not be exploited in other ways to gain the rights of the child process. - If a resource is marked as "r" in the profile it was possible to use mmap with PROT_EXEC flag set to load this resource as executable piece of code, making it effectively "ix". This could be used by a coordinated attack between two applications to potentially inject code into the reader. To allow mmap() executable access, supply the "m" flag to the applications profile. Please also review the updated documentation. Andreas -- Andreas Jaeger, aj@suse.de, http://www.suse.de/~aj/ SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126