Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Greetings,
Am Mittwoch, 12. Januar 2005 20:32 schrieb Joey Hess:
> Jan Lühr wrote:
> > things seem to be in a rush right now, and I'm looking for a little
> > overview. In the past 1-2 months several kernel exploits rushed through
> > the news that might / can / probably will affect debian stable. However,
> > I haven't seen any signle DSA regarding the following issues: Can you
> > please give me an overview: Which problems do affected
> > kernel-source-2,4.18? - If so, what is the current status of the
> > according DSA?
>
> I'm afraid that I can only tell you the status of 2.6.8 and 2.4.27 in
> unstable/testing. AFAIK there have not been DSAs for any of these to fix
> stable, and I don't know which ones really affect stable. Probably most of
> them.
>
> Some of the information below may be incorrect, the kernel team knows
> better than I.
>
(...) Interesting and helpful information not quoted for better reading.
> A few others you left out:
Thanks for your help, the topic is quite wide-spreded, and I'm a part time
network administrator..
Do you recommend to use kernel-source-2.4.27 from sid (sarge) instead of
2.4.18 from woody?
> CAN-2004-1337
>
> Apparently only affects 2.6, we're not very vulnerable since the
> module is loaded by the initrd. Not yet fixed.
> CAN-2004-1335
>
> Fixed in kernel-source-2.6.8. 2.4 is not fixed.
>
> CAN-2004-1234
>
> Does not affect sarge since we have a kernel > 2.4.25.
>
> CAN-2004-1191
>
> Should not affect our 2.4 kernel since it was fixed in 2.4.27.
> Probably our 2.6.8 kernel is vulnerable.
>
> CAN-2004-1190
>
> Could be SuSE specific, unclear and not enough info.
>
> CAN-2004-1151
>
> My notes indicate that this was fixed in svn at some point, but
> I can't find the fix now.
>
> CAN-2004-1144
>
> Amd64 specific, don't know if we're vulnerable.
>
> CAN-2004-1074
>
> Fixed in kernel-source-2.6.8 2.6.8-11, kernel-source-2.4.27
> 2.4.27-7, and te binary packages uild from them.
>
> CAN-2004-1073
> CAN-2004-1072
> CAN-2004-1071
> CAN-2004-1070
>
> 2.6.8 and 2.4.27 are not vulnerable to these.
>
> CAN-2004-1069
>
> Only affects 2.6. Fixed in kernel-source-2.6.8 2.6.8-11.
>
> CAN-2004-1068
>
> Fixed in kernel-source-2.4.27 2.4.27-7, kernel-source-2.6.8 2.6.8-11.
>
> CAN-2004-1058
>
> AFAIK it's unfixed.
>
> CAN-2004-1056
>
> Fixed in kernel-source-2.4.27 2.4.27-8 (not yet released),
> kernel-source-2.6.8 2.6.8-11.
>
> CAN-2004-1017
>
> Unknown.
>
> CAN-2004-1016
>
> Fixed in kernel-image-2.4.27-i386 2.4.27-7.
>
> CAN-2004-0949
>
> Fixed in 2.4.27, but 2.6.8 may still be vulnerable.
>
> CAN-2004-0887
>
> s390 specific. Fixed in linux-kernel-image-2.6.8-s390 2.6.8-3,
> kernel-source-2.6.8 2.6.8-10
>
> CAN-2004-0883
>
> Unknown.
>
> CAN-2004-0814
>
> Fixed in kernel-source-2.6.8 2.6.8-8, kernel-source-2.4.27 2.4.27-7
>
> CAN-2004-0813
>
> Fixed in recent 2.6 and 2.4 kernels.
>
> CAN-2004-0685
>
> Unknown.
>
> CAN-2004-0596
>
> Unknown.
>
> CAN-2003-0465
>
> May be unfixed in our 2.4.27 kernel on some arches (bug #280492)
> i386 and ppc32 are ok.
> 2.6 fixed.
Thanks for your help. I'll look for information on this tomorrow. Is all
information available, (as far as I need 'em to check whether it concerns me)
or is it kept under disclosure?
Keep smiling
yanosz
Reply to: