Bug 154307

Comment 1 Harlan Lieberman-Berg (RETIRED) 2006-11-08 20:27:22 UTC

Following are vulnerable (note: x86 only):

gentoo-sources: Stabilize 2.6.18
hardened-sources: Bump to 2.6.18 or patch
rsbac-sources: Bump to 2.6.18 or patch
suspend2-sources: Stabilize 2.6.18

openmosix-sources: Hardmasked, so we will not wait for you before closing. Bump to 2.6.18 or patch.
xen-sources: Bump to 2.6.18 or patch
xbox-sources: Bump to 2.6.18 or patch

Comment 2 Guillaume Destuynder (RETIRED) 2006-11-09 06:48:07 UTC

rsbac-sources bumped to 2.6.18 in ~

Comment 3 Daniel Drake (RETIRED) 2006-11-09 07:05:42 UTC

Harlan, you should post the patch here as making such a jump in the stable tree is not possible for most maintainers. That said, gentoo-sources-2.6.18 is going stable right now so the timing worked out OK here...

Comment 4 Harlan Lieberman-Berg (RETIRED) 2006-11-09 15:36:23 UTC

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=47a5c6fa0e204a2b63309c648bb2fde36836c826

The patches are both located there. If you so wish, I can extract the patches and make an attachment. Just say the word if you want it. :)

Comment 5 Christian Heim (RETIRED) 2006-11-10 05:45:47 UTC

(In reply to comment #4)
> http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=47a5c6fa0e204a2b63309c648bb2fde36836c826
> 
> The patches are both located there. If you so wish, I can extract the patches
> and make an attachment. Just say the word if you want it. :)
> 

Nah, that ain't necessary .. gitweb is pretty nice for such things .. just attach the link to the plain commitdiff :)

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=47a5c6fa0e204a2b63309c648bb2fde36836c826;hp=1d19f176a2884d31c4fe2c7018349ff884a819b1

Comment 6 Daniel Drake (RETIRED) 2006-11-10 07:26:26 UTC

gitweb is often down or unusably slow, plus you need to check if it applies to 2.6.17 and maybe rediff. Attaching to the bug is best, IMO.

Comment 7 Andrew Ross (RETIRED) 2006-12-05 01:07:58 UTC

Note that this patch doesn't apply to 2.6.16 and I don't have the skills to backport it.

xen-sources will be bumped to 2.6.18 in the very near future to address this and other security issues. Hopefully, we can also use genpatches to make things easier in the future.

Comment 8 Daniel Drake (RETIRED) 2006-12-08 18:39:01 UTC

All done except xen

Comment 9 Christian Heim (RETIRED) 2006-12-09 02:16:34 UTC

suspend2-sources is still sitting and waiting, sorry.

Comment 10 Christian Heim (RETIRED) 2006-12-31 05:03:05 UTC

(In reply to comment #9)
> suspend2-sources is still sitting and waiting, sorry.

suspend2 is stable as of 19. Dec. 2006

Comment 11 Harlan Lieberman-Berg (RETIRED) 2007-02-13 16:17:54 UTC

ping for inaction. I will start hardmasking things guys...

Comment 12 Micheal Marineau (RETIRED) 2007-05-02 17:19:05 UTC

I've finally committed Xen 3.0.4 with xen-sources-2.6.16.49. This issue was fixed in 2.6.16.38 so we should be good now. :-)

Resolving since xen was the last one to be fixed.