112791 2005-11-17 02:53 0000 Kernel 2.4.32 released, containing security fixes 2009-11-14 09:30:23 0000 1 1 1 Unclassified Gentoo Security Kernel unspecified All Linux RESOLVED FIXED http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.32 [linux <2.4.32] P2 normal --- 113326 113327 113504 114227 1 akorthaus@web.de security@gentoo.org carlo@gentoo.org chrb@gentoo.org gimli@gentoo.org gustavoz@gentoo.org hp-cluster@gentoo.org kang@gentoo.org kern-sec@gentoo.org nerdboy@gentoo.org solar@gentoo.org voxus@gentoo.org akorthaus@web.de 2005-11-17 02:53:16 0000 Kernel 2.4.32 has been released, containing some security fixes like [CAN-2005-0204] and the zlib issue. As far as I can see these issues have not been fixed in vanilla-sources or hardened-sources. There is also a new grsec patch for hardened-sources, containing a lot of fixes: http://grsecurity.net/news.php#grsec217 Apart from 2.4.32 release, shouldn't lead such security fixes to new -r ebuilds of the latest 2.4 kernel versions (http://linux.exosec.net/kernel/2.4-hf/)? You can find the following (security-)issues in 2.4, since 2.4.31 release, which are not in the gentoo ebuilds (AFAIK): http://linux.exosec.net/kernel/2.4-hf/2.4.31/2.4.31-hf8/CONTENTS Sorry in advance if I'm wrong! Reproducible: Always Steps to Reproduce: 1. 2. 3. gustavoz@gentoo.org 2005-11-29 12:24:25 0000 vanilla-sources-2.4.32 bumped by me with dsd's authorization. plasmaroo@gentoo.org 2005-12-23 17:30:38 0000 Adding maintainers; {mips,openmosix,rsbac,xbox}-sources. plasmaroo@gentoo.org 2006-01-02 15:09:57 0000 Toggle status. carlo@gentoo.org 2006-01-02 15:36:47 0000 http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.1/CHANGELOG Shameless hint... ;) Or are those fixes considered too unimportant (a local DoS at least) for a revision bump? plasmaroo@gentoo.org 2006-01-03 11:55:40 0000 Adding CCs; hardened and xbox: it may be beneficial if you add the backport patches. plasmaroo@gentoo.org 2006-01-03 11:57:05 0000 sparc-sources 2.4.32-r1 and gentoo-sources 2.4.32-r1 resolve the issue with backports. solar@gentoo.org 2006-01-04 05:22:43 0000 (In reply to comment #5) > Adding CCs; hardened and xbox: it may be beneficial if you add the backport > patches. got a link to the patches broken out? plasmaroo@gentoo.org 2006-01-04 06:52:54 0000 > got a link to the patches broken out? 09-*.patch in the gentoo-sources-2.4.32-r2 patchball or here: http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.1/2.4.32-hf32.1.split.tgz solar@gentoo.org 2006-01-05 09:32:07 0000 Thanks Tim hardened-sources-2.4.32-r1 is in the tree now with the 09* patches as ~arch. plasmaroo@gentoo.org 2006-04-15 13:36:09 0000 @cluster, kang: Any news on an update? carlo@gentoo.org 2006-04-15 13:45:26 0000 Tim, as you're updating the bug, it would be nice to see a new revision, including the patches from http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.3/ plasmaroo@gentoo.org 2006-04-16 15:23:46 0000 (In reply to comment #11) > Tim, as you're updating the bug, it would be nice to see a new revision, > including the patches from > > http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.3/ gentoo-sources-2.4.32-r3 in the tree. Maintainers please add the 09-* series of patches from the tarball if possible. The following maintainers still need to bump to 2.4.32: kurobox-sources (@nerdboy, adding to CC) openmosix-sources (@cluster, adding voxus to CC) rsbac-sources (@kang) Following maintainers please consider adding 09-* series of genpatches if possible, some/most of them may already be in your patchset: hardened-sources (solar) sparc-sources (gustavoz) xbox-sources (chrb/gimli) plasmaroo@gentoo.org 2006-04-16 15:24:38 0000 (In reply to comment #12) > gentoo-sources-2.4.32-r3 in the tree. Maintainers please add the 09-* series of > patches from the tarball if possible. http://dev.gentoo.org/~plasmaroo/patches/kernel/gentoo-sources/gentoo-sources-2.4.32-r3.tar.bz2 solar@gentoo.org 2006-04-16 19:51:18 0000 Thanks Tim. hardened-sources-2.4.32 bumped to -r3 ~arch with the following new patches. 09-07.CAN-2004-1058.patch 09-08.fix-inode-overflow.patch 09-09.fix-ptrace-self-attach-rule.patch 09-10.fix-sockaddr_in-leaks.patch 09-11.orinoco-CVE-2005-3180.patch 09-12.wan-sdla-leak.patch solar@gentoo.org 2006-04-20 04:45:58 0000 seems that only gentoo/hardened-sources are still maintained. gustavoz@gentoo.org 2006-04-24 13:44:00 0000 sparc-sources-2.4.32-r4 in and sparc stable. carlo@gentoo.org 2006-05-07 07:02:16 0000 There's a new hot fix release http://linux.exosec.net/kernel/2.4-hf/2.4.32/2.4.32-hf32.4/CHANGELOG plasmaroo@gentoo.org 2006-05-11 13:41:34 0000 gentoo-sources-2.4.32-r4 now in Portage and stable, thanks. New security patches listed below; if you're on x86 note the tweak you'd probably have to do with one of them: * 09-13.vlan_ioctl-missing-checks.patch * 09-14.netfilter-ipt_recent-memleak.patch * 09-15.CVE-2006-1864.patch * 09-16.CVE-2006-1524.patch * 09-17.CVE-2006-1056-i386.patch <-- Do not use unless you have an lck scheduler * 09-17.CVE-2006-1056-i386.patch.orig <-- Use this instead (rename from .orig) gustavoz@gentoo.org 2006-05-12 12:09:29 0000 sparc-sources-2.4.32-r5 in as ~sparc for a couple of days. You probably want 2.4.32-via-rhine-zero-pad-short-packets-1 in too for hardened/gentoo-sources. New patches for r5: 4013-vlan_ioctl_missing_checks.patch 4014_netfilter-ipt_recent-memleak.patch 4015_CVE-2006-1864-smbfs-escape-chroot.patch 4016_CVE-2006-1524-fix-shm-mprotect.patch 4017_via-rhine-zero-pad-short-packets.patch plasmaroo@gentoo.org 2006-05-18 13:36:15 0000 nerdboy: No response from you for a while, I've security masked kurobox-sources. Please bump to 2.4.32 and then feel free to unmask. Contact on IRC or mail if this is a problem. carlo: Further -hf announcements please just open a new bug to me, thanks :) All the other sources are fine now, changing bug status... asym@gentoo.org 2009-11-14 09:28:58 0000 Reopen bug in order to add a valid whiteboard.