Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
Re: [suse-security] dates on new kernels don't agree with release announcement?
  • From: Kastus <NOSPAM@xxxxxxxxxx>
  • Date: Thu, 4 Dec 2003 18:44:28 -0800
  • Message-id: <20031205024428.GA4593@xxxxxxxxxx>
On Fri, Dec 05, 2003 at 12:09:59PM +1100, Michael James wrote:
> On Friday 05 December 2003 02:39, Olaf Kirch wrote:
> > SUSE Security Announcement
> >
> > Package: Linux Kernel
> > Announcement-ID: SuSE-SA:2003:049
> > Date: Thursday, December 4th 2003 15:30 MET
>
> <snip>
>
> > Intel i386 Platform:
> >
> > SuSE-9.0:
> > ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/
> k_deflt-2.4.21-144.i586.rpm
>
> So the -144 version (k_deflt-2.4.21-144.i586.rpm) is named as the fix
> but on all the mirrors I checked it is dated Nov 20 - Nov 24 ???
> Same for all the other kernel types and suse versions.

This time stamp confuses me too. Especially given the explanation
that Roman gave for the delay with the announcement. If they were
still testing the kernel, how come it was available for download?

>
> And the info file doesn't mention the "brk() vulnerability",
> IS this today's fix?

If you look into the changelog of -144 kernel, the fix seems to be there:

* Fri Sep 26 2003 - mantel@xxxxxxx

- check bounds in do_brk

>
> Sorry taking up time on a busy day, but I'm confused...

I am confused too.

Regards, -Kastus

< Previous Next >
Follow Ups