Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: [suse-security] dates on new kernels don't agree with release announcement?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Fri, 5 Dec 2003 05:47:11 +0100 (MET)
  • Message-id: <Pine.LNX.4.58.0312050543190.10311@xxxxxxxxxxxx>
> > > Intel i386 Platform:
> > >
> > > SuSE-9.0:
> > > ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/
> > k_deflt-2.4.21-144.i586.rpm
> >
> > So the -144 version (k_deflt-2.4.21-144.i586.rpm) is named as the fix
> > but on all the mirrors I checked it is dated Nov 20 - Nov 24 ???
> > Same for all the other kernel types and suse versions.
>
> This time stamp confuses me too. Especially given the explanation
> that Roman gave for the delay with the announcement. If they were
> still testing the kernel, how come it was available for download?
>

That one was tested earlier (before it was published). There were checks
on the brk() stuff, though.

> If you look into the changelog of -144 kernel, the fix seems to be there:
>
> * Fri Sep 26 2003 - mantel@xxxxxxx
>
> - check bounds in do_brk

Right, long ago...

>
> >
> > Sorry taking up time on a busy day, but I'm confused...
>
> I am confused too.

Anything open?

More details: Andrea Arcangeli has run into the missing bounds checks in
brk() a while ago. The patch was added to our SLES8 update kernel for
Service Pack 3, later (after release of 9.0) also to the update kernel for
9.0. _After_ that time, the do_brk() issue turned out to be a security
threat, causing us to prepare updates for all products except for those
which had the fix already.
I guess you'd curse if you were facing the work... :-)

>
> Regards, -Kastus


Thanks,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // Nail here |
SUSE Linux AG - Security Phone: // for a new
| N├╝rnberg, Germany +49-911-740530 // monitor! --> [x] |
- -

< Previous Next >
Follow Ups