On Fri, Nov 06, 2009 at 09:30:47AM +0100, Frank Steiner wrote:
Hi,
Marcus Meissner wrote
Hi,
A bug in the Linux kernels "pipe" system call implementation was found which can be used by local attackers to gain root privileges.
CVE-2009-3547 http://www.openwall.com/lists/oss-security/2009/11/03/1
The several days delay in getting Kernel updates out is due to kernel QA taking around 4 days, as they include numbers of regressions, burn-in and partner tests and careful evaluation of the generated results.
not meaning to offend anyone, but as far as I can see the patch for this has been added on October 26th to the SuSE sources (SLE 10 SP2):
* Mon Oct 26 2009 - jkosina@suse.de - patches.fixes/fix-pipe-null-ptr.patch: fs: pipe.c null pointer dereference (bnc#550001, CVE-2009-3547).
So couldn't the kernels have been out a week ago?
First, the issue was handled as responsible disclosure with the disclosure date on this week (Nov 4 actually, but it turned out to be Nov 3). Second, we do need QA time to actually test kernels. Thirdly, the patch listed above was buggy. Which we noticed on Tuesday and had to restart the update. Otherwise we would probably be ready now. Make sure you have: Tue Nov 3 12:14:59 CET 2009 - jkosina@suse.de - patches.fixes/fix-pipe-null-ptr.patch: fix incorrect increment in pipe_write_open() in the changelog if you are testing KOTD kernels. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org