The vmsplice local root exploit patch should be included for all affected gentoo-sources kernels in the tree. I am currently stuck with kernels 2.6.22* because of the ioremap bug in all later kernels (see bugs: http://bugzilla.kernel.org/show_bug.cgi?id=10077 and http://bugzilla.kernel.org/show_bug.cgi?id=9955). Possibly there are a lot of other people forced to stick with the 2.6.22 kernel and there's no reason why the exploit should be patched only in >=2.6.23. Reproducible: Always
Please note that there are several bugs unfixed within the 2.6.22 version of gentoo-sources, among them bugs 158788, 171888, 188644, 196862, 198997, 199312, 199691, 199845, 200769, 202235, 202290, 209460 and 213811. I'm pulling in the kernel team for advice, because it is fixed in gentoo-sources as far as the security policy is concerned, and this would only be an enhancement.
gentoo-sources-2.6.22 is no longer supported and will not be updated. gentoo-sources-2.6.24 is currently the only supported version.
Thanks for making that clear, Daniel.
(In reply to comment #2) > gentoo-sources-2.6.22 is no longer supported and will not be updated. Then it should either be removed from the tree, masked or patched. It's a simple fix, two minutes' worth of work. I think keeping unmasked insecure packages is neither in Gentoo's interest nor the security policy.
(In reply to comment #4) > (In reply to comment #2) > > > gentoo-sources-2.6.22 is no longer supported and will not be updated. > > Then it should either be removed from the tree, masked or patched. It's a > simple fix, two minutes' worth of work. I think keeping unmasked insecure > packages is neither in Gentoo's interest nor the security policy. As far as our security policy goes, only the latest available ebuild for each source is supported. I see how that is not desirable for both developers and users, and we are working on improving that. Your help is very much appreciated there, please talk to me on irc or via mail.
If you have time, you should file bugs for any issues preventing you from running the latest kernel. We are then at least aware of the issues, can track them, and can maybe help solving them. When marking new kernels stable (and ending support for older ones) we always review outstanding regression bugs and base decisions from that. We can't consider regressions that nobody has told us about :)