On Friday 05 December 2003 15:47, Roman Drahtmueller wrote:
That one was tested earlier (before it was published). There were checks on the brk() stuff, though.
If you look into the changelog of -144 kernel, the fix seems to be there: * Fri Sep 26 2003 - mantel@suse.de - check bounds in do_brk
Right, long ago...
Sorry taking up time on a busy day, but I'm confused... I am confused too.
Anything open?
I think I am hearing that we were all patched and secure back on Nov 24th. If that's the case then I'm happy.
More details: Andrea Arcangeli has run into the missing bounds checks in brk() a while ago. The patch was added to our SLES8 update kernel for Service Pack 3, later (after release of 9.0) also to the update kernel for 9.0. _After_ that time, the do_brk() issue turned out to be a security threat, causing us to prepare updates for all products except for those which had the fix already. I guess you'd curse if you were facing the work... :-)
That makes things considerably clearer. This issue of being ahead of the game would be an unmitigated triumph IF you weren't quite so self-effacing and wore your "Been there, done that, Got the Patches" tee shirt on the lists where panics break: bugtraq, suse-security, Auscert (australian CERT). Or another note on http://www.suse.com/us/private/support/security/index.html to say an issue has already been addressed. We have enough faith in Suse to believe silence means work is going on behind the scenes but it's stretching a sysadmin's cynicism when silence means "relax!" michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166