On Mon, May 30, 2005 at 02:00:13AM -0600, dann frazier wrote: > On Mon, 2005-05-30 at 00:22 -0600, dann frazier wrote: > > On Wed, 2005-05-11 at 18:30 +0900, Horms wrote: > > > Package: kernel-source-2.4.27 > > > Version: 2.4.27-10 > > > Severity: important > > > Tags: patch, security, pending
> > > I got this from Moritz Muehlenhoff <[EMAIL PROTECTED]>: > > > http://www.redhat.com/support/errata/RHSA-2005-284.html This is > > > CAN-2005-0137 : Linux kernel 2.6 on Itanium (ia64) architectures > > > allows local users to cause a denial of service via a "missing > > > Itanium syscall table entry." > > > On investigation I found that > > > 2.4.27 is vulnerable to this. 2.6.8 and 2.6.11 are not. > > > The bug has been fixed upstream for both 2.4 and 2.6 and > > > I have put a this patch into SVN for 2.4.27 > > Actually, this fix is already in kernel-patch-2.4.27-ia64 (2.4.27-3). > > It was included when I resync'd with upstream; I didn't include a > > reference in the changelog because I was unsure if the CAN ID was public > > yet. > > kernel-patch-2.4.27-ia64 has already made its way into sarge, and: > > <vorlon> anyway, yeah, 2.4 kernels are also being synced up; I've already > > approved 2.4.27-8 in for ia64 > > 2.4.27-8 was built against -3, so it sounds like this fix should already > > be going in. > Testing a build against 2.4.27-10, I noticed that both patches will > apply. Since they both add a syscall slot, we silently get one extra > syscall slot :/ I'm unsure how severe of a problem this is - but I fear > it may introduce a DoS vector of its own. > I think the best solution at this point is to build a > kernel-patch-2.4.27-ia64 (2.4.27-4) that reverts this change and prepare > a kernel-image along with it, therefore requiring no changes to > kernel-source-2.4.27. What do you think? > Release Team: If I get these 2 builds into sid can we move these into > sarge with the other kernel updates? Yes. Thanks, -- Steve Langasek postmodern programmer
