Yesterday I was offered a kernel update for an 11.2 system. I was curious enough to look at the description and then to look further and was somewhat surprised at what I found. The description was: ==== kernel-3323 (noarch) This update is needed to fix a security vulnerability with this package. The updated openSUSE 11.2 kernel fixes the following security bugs: CVE-2010-3310: Local users could corrupt kernel heap memory via ROSE sockets. CVE-2010-2962: Local users could write to any kernel memory location via the i915 GEM ioctl interface. Additionally the update restores the compat_alloc_userspace() inline function and includes several other bug fixes. For more information about bugs fixed by this update please visit these websites: • https://bugzilla.novell.com/show_bug.cgi?id=614670. • https://bugzilla.novell.com/show_bug.cgi?id=640721. • https://bugzilla.novell.com/show_bug.cgi?id=642009. • https://bugzilla.novell.com/show_bug.cgi?id=644046. ==== I was initially surprised by the mention of compat_alloc_userspace(), which is very much like the compat_alloc_user_space() that caused so much angst a month or so ago. So I decided to check the individual bug reports. I was a bit surprised by the first one, which causes major corruption of XFS filesystems and which has been fixed but left outstanding for quite some time! That doesn't encourage me to rely on the system for my data. I was surprised in a different way by the other three, because it's not possible to access them! At least, not unless you have a Novell account and are prepared to login to it. I wasn't last night. Is it policy that kernel updates are sent out without open documentation of what they contain? I'd have expected that to violate the GPL but then I haven't thought about it too hard yet. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org