lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Sun, 13 Sep 2009 09:59:28 +0000
From:	Willy Tarreau <wtarreau@...a.kernel.org>
To:	linux-kernel@...r.kernel.org
Subject: Linux 2.4.37.6

I've just released Linux 2.4.37.6.

This version focuses on various vulnerabilities causing information
leaks to user processes. I would personally call them minor since at
most a few bytes per call or another task's pointer can be can be
collected. Still, those were fixed in 2.6 so it's better to have 2.4
at the same level. Most of them are recent, except the proc/pid/maps
which I missed one year ago and the netlink padding issue which was
fixed 4 years ago.

Most of them have CVE numbers assigned but I forgot to check them
while committing. I don't think users are reading them that much
anyway.

If you don't know whether you need to upgrade, it's simple : if you're
running something older than 2.4.37.5, you're potentially at risk so
you should upgrade anyway. If you have untrusted local users, I would
recommend you to upgrade. Otherwise you can wait for a more sensible
update.

The patch and changelog will appear soon at the following locations:
  ftp://ftp.kernel.org/pub/linux/kernel/v2.4/
  ftp://ftp.kernel.org/pub/linux/kernel/v2.4/patch-2.4.37.6.bz2
  ftp://ftp.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.6

Git repository:
   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.4.37.y.git
  http://www.kernel.org/pub/scm/linux/kernel/git/stable/linux-2.4.37.y.git

Git repository through the gitweb interface:
  http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git


Willy

--
Summary of changes from v2.4.37.5 to v2.4.37.6
============================================

Eric Dumazet (6):
      tc: Fix unitialized kernel memory leak
      appletalk: fix atalk_getname() leak
      econet: Fix econet_getname() leak
      irda: Fix irda_getname() leak
      netrom: Fix nr_getname() leak
      rose: Fix rose_getname() leak

Jake Edge (1):
      proc: avoid information leaks to non-privileged processes

Linus Torvalds (1):
      do_sigaltstack: avoid copying 'stack_t' as a structure to user space

Patrick McHardy (3):
      [NETLINK]: Missing initializations in dumped data
      [NETLINK]: Clear padding in netlink messages
      [NETLINK]: Missing padding fields in dumped structures

Willy Tarreau (2):
      restrict reading from /proc/<pid>/maps to those who share ->mm or can ptrace pid
      Change VERSION to 2.4.37.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ