Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Fedora Core Advisory: kernel

Jun 11, 2004, 18:14 (1 Talkback[s])

Fedora Update Notification
FEDORA-2004-137
2004-06-11

Product : Fedora Core 2
Name : kernel
Version : 2.6.6
Release : 1.427
Summary : The Linux kernel (the core of the Linux operating system)

Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.


Update Information:

An updated kernel is available that brings the kernel to the 2.6.7-rc3 base level. This new kernel provides a significant number of bug fixes and improvements for USB, the keyboard/mouse subsystem and the VM. This kernel also fixes the high profile bugs about not working on VIA C3 processors (#120685) and Asus P4P800 motherboards (#121819). In this new kernel firewire no longer oopses during boot and has been re-enabled, however we consider firewire support still somewhat experimental and recommend extensive testing before using firewire in a production environment.

This kernel also contains the enhancements series from Al Viro that enables the Sparse source code checking tool to check for a certain class kernel bugs. This class of bugs can lead to privilege escalation vulnerabilities, and fixes for all such bugs that were found with Sparse and these patches are included in this erratum.

NX feature

In addition to these bugfixes, the x86 kernel-smp subpackage now also contains support for the 'NX' feature that is present in current AMD Athlon64/Opteron processors and for which support has been announced by Intel, VIA and Transmeta for future processors.

A significant percentage of security exploits are made possible by abusing buffer overflow programming defects in application. With an executable stack or heap, an attacker could use the buffer overflow to put hostile program code on the stack/heap and consequently trick the program into executing this code. The 'NX' feature adds a "don't execute" bit which lets the kernel disallow executing code from marked areas such as the stack and the heap.

http://www.uwsg.indiana.edu/hypermail/linux/kernel/0406.0/0497.html describes the patch that provides this feature in more detail.

Fedora Core 1 and Fedora Core 2 already contain the Execshield functionality in both the regular and smp kernels. By using the segmentation feature of x86 processors, Execshield can effectively make the stack and certain other regions of memory non-executable on all existing x86 processors. On processors with the 'NX' feature, the kernel can make a finer grained protection decision about which regions of the application memory need to have execution disabled. While Execshield provides the basic no-execute protection for the stack and (for most applications) the heap, the 'NX' feature allows for a more enhanced safety net against buffer overflow attacks in complex applications such as the X server. The 'NX' feature is also used to protect against buffer overflow attacks to the kernel itself.

Having a non-executable stack/heap can help prevent the most common security exploits. Other Execshield features such as PIE (Position Independent Executable) randomization supplement and increase this protection (either provided via the segment limits or via the 'NX' feature) with the overall goal of making it much harder to exploit security flaws.


* Fri Jun 11 2004 Arjan van de Ven
  • disable mlock-uses-rlimit patch, it has a security hole and needs more thought
  • revert airo driver to the FC2 one since the new one breaks
    • Wed Jun 09 2004 Dave Jones <<A HREF="mailto:davej@redhat.com">davej@redhat.com>
  • Update to 2.6.7rc3
    • Sat Jun 05 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • fix the mlock-uses-rlimit patch
    • Thu Jun 03 2004 David Woodhouse <<A HREF="mailto:dwmw2@redhat.com">dwmw2@redhat.com>
  • Add ppc64 (Mac G5)
    • Thu Jun 03 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • add a forward port of the mlock-uses-rlimit patch
  • add NX support for x86 (Intel, Ingo)
    • Wed Jun 02 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • refresh ext3 reservation patch
    • Mon May 31 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • 2.6.7-rc2
    • Fri May 28 2004 Pete Zaitcev <<A HREF="mailto:zaitcev@redhat.com">zaitcev@redhat.com>
  • Fix qeth and zfcp (s390 drivers): align qib by 256, embedded into qdio_irq.
    • Fri May 28 2004 Dave Jones <<A HREF="mailto:davej@redhat.com">davej@redhat.com>
  • Fix the crashes on boot on Asus P4P800 boards. (#121819)
    • Thu May 27 2004 Dave Jones <<A HREF="mailto:davej@redhat.com">davej@redhat.com>
  • Lots more updates to the SCSI whitelist for various USB card readers. (#112778, among others..)
    • Thu May 27 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • back out ehci suspend/resume patch, it breaks
  • add fix for 3c59x-meets-kudzu bug from Alan
    • Wed May 26 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • try improving suspend/resume by restoring more PCI state
  • 2.6.7-rc1-bk1
    • Tue May 25 2004 Dave Jones <<A HREF="mailto:davej@redhat.com">davej@redhat.com>
  • Add yet another multi-card reader to the whitelist (#85851)
    • Mon May 24 2004 Dave Jones <<A HREF="mailto:davej@redhat.com">davej@redhat.com>
  • Add another multi-card reader to the whitelist (#124048)
    • Thu May 20 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • put firewire race fix in (datacorruptor)
    • Wed May 19 2004 Dave Jones <<A HREF="mailto:davej@redhat.com">davej@redhat.com>
  • Fix typo in ibmtr driver preventing compile (#123391)
    • Tue May 18 2004 Arjan van de Ven <<A HREF="mailto:arjanv@redhat.com">arjanv@redhat.com>
  • update to 2.6.6-bk3
  • made kernel-source and kernel-doc noarch.rpm's since they are not architecture specific.

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

337c999f7dc1dccf8bda806ab94aaad0 SRPMS/kernel-2.6.6-1.427.src.rpm
409e0582df22abbbae031a1593093285 i386/kernel-2.6.6-1.427.i586.rpm
8a009651ce46a265f7705d31f02fcb6e i386/kernel-smp-2.6.6-1.427.i586.rpm
f8a2f4edc790cca69829ee71898d0095 i386/debug/kernel-debuginfo-2.6.6-1.427.i586.rpm
db2fad6f1bc995fca31f1558aafe8d8a i386/kernel-2.6.6-1.427.i686.rpm
d34f944530365d54e95c1a762a103d7a i386/kernel-smp-2.6.6-1.427.i686.rpm
de203c8bdebd186192a0fb12a12eaf5a i386/debug/kernel-debuginfo-2.6.6-1.427.i686.rpm
d3d3605bc24d574cd0813edc0be8d65c i386/kernel-sourcecode-2.6.6-1.427.noarch.rpm
826a07dcc5c5c8f60bc169f67780c2dc i386/kernel-doc-2.6.6-1.427.noarch.rpm
05fa87f6bb8d2e2d2c0b8f13de180feb x86_64/kernel-2.6.6-1.427.x86_64.rpm
eab86618eb29a90b4d1ca3810485b117 x86_64/kernel-smp-2.6.6-1.427.x86_64.rpm
aca6a3b39034e44116bc752ad5e15349 x86_64/debug/kernel-debuginfo-2.6.6-1.427.x86_64.rpm
d3d3605bc24d574cd0813edc0be8d65c x86_64/kernel-sourcecode-2.6.6-1.427.noarch.rpm
826a07dcc5c5c8f60bc169f67780c2dc x86_64/kernel-doc-2.6.6-1.427.noarch.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.