On Fri, Dec 05, 2003 at 12:09:59PM +1100, Michael James wrote:
On Friday 05 December 2003 02:39, Olaf Kirch wrote:
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2003:049 Date: Thursday, December 4th 2003 15:30 MET
<snip>
Intel i386 Platform:
SuSE-9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/
k_deflt-2.4.21-144.i586.rpm
So the -144 version (k_deflt-2.4.21-144.i586.rpm) is named as the fix but on all the mirrors I checked it is dated Nov 20 - Nov 24 ??? Same for all the other kernel types and suse versions.
This time stamp confuses me too. Especially given the explanation that Roman gave for the delay with the announcement. If they were still testing the kernel, how come it was available for download?
And the info file doesn't mention the "brk() vulnerability", IS this today's fix?
If you look into the changelog of -144 kernel, the fix seems to be there: * Fri Sep 26 2003 - mantel@suse.de - check bounds in do_brk
Sorry taking up time on a busy day, but I'm confused...
I am confused too. Regards, -Kastus