Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] dates on new kernels don't agree with release announcement?
From: Roman Drahtmueller (drahtsuse.de)
Date: Thu Dec 04 2003 - 22:47:11 CST
> > > Intel i386 Platform:
> > >
> > > SuSE-9.0:
> > > ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/
> > k_deflt-2.4.21-144.i586.rpm
> > So the -144 version (k_deflt-2.4.21-144.i586.rpm) is named as the fix
> > but on all the mirrors I checked it is dated Nov 20 - Nov 24 ???
> > Same for all the other kernel types and suse versions.
> This time stamp confuses me too. Especially given the explanation
> that Roman gave for the delay with the announcement. If they were
> still testing the kernel, how come it was available for download?
That one was tested earlier (before it was published). There were checks
on the brk() stuff, though.
> If you look into the changelog of -144 kernel, the fix seems to be there:
> * Fri Sep 26 2003 - mantelsuse.de
> - check bounds in do_brk
Right, long ago...
> > Sorry taking up time on a busy day, but I'm confused...
> I am confused too.
More details: Andrea Arcangeli has run into the missing bounds checks in
brk() a while ago. The patch was added to our SLES8 update kernel for
Service Pack 3, later (after release of 9.0) also to the update kernel for
9.0. _After_ that time, the do_brk() issue turned out to be a security
threat, causing us to prepare updates for all products except for those
which had the fix already.
I guess you'd curse if you were facing the work... :-)
> Regards, -Kastus
| Roman Drahtmüller <drahtsuse.de> // Nail here |
SUSE Linux AG - Security Phone: // for a new
| Nürnberg, Germany +49-911-740530 // monitor! --> [x] |
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here