Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: [suse-security] dates on new kernels don't agree with release announcement?
  • From: Michael James <Michael.James@xxxxxxxx>
  • Date: Fri, 5 Dec 2003 16:22:16 +1100
  • Message-id: <200312051622.16503.Michael.James@xxxxxxxx>
On Friday 05 December 2003 15:47, Roman Drahtmueller wrote:
> That one was tested earlier (before it was published).
> There were checks on the brk() stuff, though.
> > If you look into the changelog of -144 kernel, the fix seems to be there:
> > * Fri Sep 26 2003 - mantel@xxxxxxx
> > - check bounds in do_brk
> Right, long ago...

> > > Sorry taking up time on a busy day, but I'm confused...
> > I am confused too.
> Anything open?

I think I am hearing that we were all patched and secure
back on Nov 24th. If that's the case then I'm happy.

> More details: Andrea Arcangeli has run into the missing bounds checks in
> brk() a while ago. The patch was added to our SLES8 update kernel for
> Service Pack 3, later (after release of 9.0) also to the update kernel for
> 9.0. _After_ that time, the do_brk() issue turned out to be a security
> threat, causing us to prepare updates for all products except for those
> which had the fix already.
> I guess you'd curse if you were facing the work... :-)

That makes things considerably clearer.

This issue of being ahead of the game would be an unmitigated triumph
IF you weren't quite so self-effacing and wore your
"Been there, done that, Got the Patches" tee shirt on the lists
where panics break: bugtraq, suse-security, Auscert (australian CERT).

Or another note on
to say an issue has already been addressed.

We have enough faith in Suse to believe
silence means work is going on behind the scenes
but it's stretching a sysadmin's cynicism when silence means "relax!"


Michael James michael.james@xxxxxxxx
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166

< Previous Next >