Mailinglist Archive: opensuse-factory (293 mails)
| < Previous | Next > |
[opensuse-factory] Test updates for SUSE Linux 10.1
- From: Andreas Jaeger <aj@xxxxxxx>
- Date: Tue, 11 Jul 2006 14:22:11 +0200
- Message-id: <ho4pxofi18.fsf@xxxxxxxxxxxxx>
I've published two repositories for SUSE Linux 10.1:
* An updated packagemanagement stack
* New kernel 2.6.16.21
We plan to release this soon (this week!) as official update and
appreciate any testing, please report bugs you find on
bugzilla.novell.com and CC me on the report (as <aj at novell dot
com>).
The packages and the changes itself have been tested intensively
during the last weeks inside Novell. Since these are large updates,
we like to have additional testing of these as a patch and on a
variety of systems and environments.
Package Management Stack Update
===============================
In addition to the already released fixes for the package management
stack, we have now fixed further bugs.
The most important changes are:
* Fixes for autorefresh (#186115, #181613, #181182)
* Do not leave stall tmp files (#178292)
* Empty catalogs before filling them (#181602)
* Handle passwords in URLs (#186978, #186842, #186804)
* Handle signing in zen-updater, zmd
* Fix some bugs in interaction of libzypp and zmd
The repository URL is:
ftp://ftp.suse.com/pub/people/aj/10.1-packagemanagement-update-test
(please use a mirror of ftp.suse.com if possible.)
Kernel Update
=============
Please apply the package management stack before applying the kernel
update.
This is an update to Kernel 2.16.21 together with a number of
bug fixes that we developed during the last weeks.
The kernel changes its ABI completely, so all the
kernel-module-packages (kmp) that you have installed, need to be
updated as well.
The interface between kernel and AppArmor has been changed as well,
and therefore you have to update AppArmor as well (or disable it).
Xen is updated as - as well as udev, open-iscsi, multipath-tools and
mkinitrd.
The repository URL is:
ftp://ftp.suse.com/pub/people/aj/10.1-kernel-update-test
(please use a mirror of ftp.suse.com if possible.)
Note on AppArmor
----------------
Since the update adds new flags to the profile syntax, you likely
should review and adapt your profiles.
- If a profile allowed unconfined execution ("ux") of a
child binary it was possible to inject code via
LD_PRELOAD or similar environment variables into this
child binary and execute code without confiment.
We have added new flag "Ux" (and "Px" for "px") which makes the
executed child clear the most critical environment variables
(similar to setuid programs). Special care needs to be taken
nevertheless that this interaction between parent and child programs
can not be exploited in other ways to gain the rights of the child
process.
- If a resource is marked as "r" in the profile it was possible to use
mmap with PROT_EXEC flag set to load this resource as executable
piece of code, making it effectively "ix".
This could be used by a coordinated attack between two applications
to potentially inject code into the reader.
To allow mmap() executable access, supply the "m" flag to the
applications profile.
Please also review the updated documentation.
Andreas
--
Andreas Jaeger, aj@xxxxxxx, http://www.suse.de/~aj/
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
| < Previous | Next > |