Hi all,
here goes 2nd release candidate of v2.2.27. It contains security
fixes including todays discovered SMP pagefault race, amongst
others.
2.2.27-rc2
- CAN-2005-0001: fixed expand_stack() SMP race (Redhat)
- CAN-2004-0883, CAN-2004-0949: smbfs: fixed client overflow.
There are two bugs in the handling of SMB responses that result in
remote kernel overflows. Due to the nature of the bugs both seem to
be very hard to exploit (in the sense of remote code execution or
local privilege escalation) but are trivial remote kernel crashes.
(Stefan Esser) - rose_rt_ioctl: lack of bounds checking (Coverity)
- sdla_xfer: lack of bounds checking (Coverity)
- coda: bounds checking for tainted scalars (Coverity)
- sendmsg compat wrapper fixes for 64bit compat mode (Olaf
Kirch)
2.2.27-rc1
- CAN-2004-0497: fixed missing DAC check on sys_chown (Thomas
Biege) - CAN-2004-1016: fixed a buffer overflow vulnerability in the
“__scm_send” function which handles the sending of UDP network
packets. A wrong validity check of the cmsghdr structure allowed a
local attacker to modify kernel memory, thus causing an endless
loop (DoS) or possibly even root privilege escalation. (Paul
Starzetz) - CAN-2004-1333: fixed integer overflow in the vc_resize function
allows local users to cause a denial of service (kernel crash) via
a short new screen value, which leads to a buffer overflow. Make
sure VC resizing fits in s16. (Georgi Guninski) - If the user makes ip_cmsg_send call ip_options_get multiple
times, we leak kmalloced IP options data. (Georgi Guninski) - fixed moxa serial bound checking issue (Alan Cox)
- menu cleanups (me)
Advertisement
2.2.27-pre2
- A more correct fix to last mremap (2) bug (Dan Yefimov/Solar
Designer) - renamed imho bogus _vsnprintf to vsnprintf (me)
- fixed ‘noexec’ behaviour (2.4 backport) from Ulrich Drepper
(me)
2.2.27-pre1
- fixed TCP keepalive bug (Neal Cardwell)
- fixed tcp seq nr wrapping bug (Ulrik De Bie)
- added cciss root translation table (Eduard Bloch)
- VIA KL133/KM133 northbridge: vga console going crazy (Roberto
Biancardi) - speedup ‘make dep’ (Benoit Poulot-Cazajous)
- disabled MCE only on Pentiums by default (2.4 backport) (boot
with ‘mce’ if your MCE works as expected) (Herbert Xu) - skb_realloc_headroom() panics when new headroom is smaller than
existing headroom - invalid nh.raw use after free (Julian Anastasov)
- fix a local APIC initaliziation ordering bug that triggers on
the P4 (Andrea Arcangeli) - TSC calibration must be dynamic and not a compile time thing
because gettimeofday is dynamic and it depends on the TSCs to be in
sync (Andrea Arcangeli) - fix deadlock on shutdown in 8139too (Herbert Xu)
- support for ELF executables which use an a.out format
interpreter (dynamic linker) moved into a separate configuration
option and disabled by default (Solar Designer) - fixed sys_utimes perm check according to sys_utim (Al
Viro) - show us the saved kernel command line (2.4 backport) (me)
- some whitespace cleanups, some coding style cleanups (me)
- fixed some gcc warnings (me)
- add PCI ID for 82820 NIC to eepro100 network driver (me)
- move ‘Network device support’ near ‘Networking options’
(me)