lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 22 Aug 2006 21:23:00 +0000
From:	Willy Tarreau <wtarreau@...a.kernel.org>
To:	linux-kernel@...r.kernel.org
Cc:	mtosatti@...hat.com,
	"Patrick J. Volkerding" <volkerdi@...ckware.com>,
	Grant Coady <gcoady.lk@...il.com>
Subject: Linux 2.4.33.2


Hi !

Linux 2.4.33.2 is out. It fixes a local privilege escalation in SCTP
(CVE-2006-3745). Also included are a fix for a bad address check in
binfmt_elf (already in 2.6), and a fix for build on some non-sparc
architectures which I broke in 2.4.33.1 when trying to fix the memchr()
export (problem reported by Mikael Pettersson).

If does not contain the UDF fix which went in 2.6.17.10. I will check
whether it applies to 2.4 and will backport it for a future release.

### Important note for users of Slackware 10.2 ###

Grant Coady informed me that 2.4.33.1 did not boot for him. After a long
series of tests from him and Pat Volkerding, it appeared that the problem
is caused by glibc 2.3.6 wrongly detecting kernel version as 4.33.1 and
mistakenly using the NTPL libs instead.

Patrick has fixed the problem and will (has ?) send the fix to the glibc
team. By now people using Slackware 10.2 must upgrade their glibc to
glibc-solibs-2.3.5-i486-6_slack10.2.tgz if they want to run a 2.4.33.x
kernel (user glibc-2.3.6 build -5 for -current). A workaround is either
to rename /lib/tls or to rename the kernel to something different than
4 numbers separated by dots. Since the problem is fixed, I don't intend
to change the numbering.

I dont think that this problem might affect many other distros since those
shipping an NPTL-enabled libc with both 2.4 and 2.6 mainline are rare. If
anyone else encounters the problem, Pat has the fix.


Regards,
Willy



Summary of changes from v2.4.33.1 to v2.4.33.2
============================================

Ernie Petrides:
      binfmt_elf.c : fix checks for bad address

Sridhar Samudrala:
      [SCTP] Local privilege elevation - CVE-2006-3745

Willy Tarreau:
      Revert "export memchr() which is used by smbfs and lp driver."
      [SPARC] export memchr() which is used by smbfs and lp driver.
      Change VERSION to 2.4.33.2


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ