Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability

To: Micah <micah@riseup.net>
Cc: debian-kernel@lists.debian.org
Subject: Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
From: Horms <horms@debian.org>
Date: Tue, 23 Aug 2005 19:20:01 +0900
Message-id: <[🔎] 20050823101959.GB31088@verge.net.au>
Mail-followup-to: Micah <micah@riseup.net>, debian-kernel@lists.debian.org
In-reply-to: <[🔎] 4309E455.4020705@riseup.net>
References: <[🔎] 43089636.8030706@riseup.net> <[🔎] 20050822065545.GG21749@verge.net.au> <[🔎] 4309E455.4020705@riseup.net>

On Mon, Aug 22, 2005 at 09:42:29AM -0500, Micah wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Horms,
> 
> > Thanks as always.
> 
> Thanks to you for the quick reply!
> 
> > I have added [X] to SVN.
> > - In the linux-2.6 directory in trunk
> >   *This should appear in linux-2.6  2.6.12-6 in unstable.
> 
> Noted.
> 
> > - In the linux-2.6-devel (perhaps renamed linux-2.6-experimental by now)
> >   directory
> > - The sarge-security 2.6.8 branch
> >   * It should appear in kernel-source-2.6.8 2.6.8-16sarge2 in sarge-security
> >     (still working on how the security and kernel team can do this)
> 
> Noted.
> 
> > - The sarge 2.6.8 branch
> 
> Does this appear anywhere as a package in unstable? I know that 2.6.8 is
> being requested for removal, but why add it to this branch if its never
> going to be used?

This is kind of complicated, and to be honest we are still working
out how best to handle things in SVN. What we have done is
to create a sarge-security branch, and then move the old trunk
to sarge, its called a branch, but its really the trunk... go figure.

As to weather this will ever be used. If there is ever a
non-security update of 2.6.8 in Sarge, then this will be it.
Otherwise it won't get used. I'd really like to know
which is more likely before we put a whole lot more work into it.

As for 2.6.8 in unstable/testing. Its dead.  It should be removed ASAP.

> > - The sarge-security 2.4.27 branch
> >   * It should appear in kernel-source-2.4.27 2.4.27-10sarge2 in sarge-security
> >     (again, still working on how the security and kernel team can do this)
> 
> Noted.
> 
> > - The 2.4.27 directory in trunk
> >   * This should appear as kernel-source-2.4.27 2.6.12-12 in unstable
> 
> This one doesn't look right, I assume you mean to say
> "kernel-source-2.4.27 2.4.27-12 in unstable"?

Yes, sorry, thats what I ment.

> > Man, thats too many branches to be adding stuff to.
> > Need to do something about that.
> 
> No kidding!
> 
> Is it me just paying more attention to kernel security things, or are
> there just a significant number of kernel security holes now days?

Good question. I think its the former, though I have been wondering
the same thing myself.

-- 
Horms

Reply to:

References:
- CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
  - From: Micah <micah@riseup.net>
- Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
  - From: Horms <horms@debian.org>
- Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
  - From: Micah <micah@riseup.net>

Prev by Date: Bug#324643: symbolic link loop: /usr/src/linux-headers-2.6.12-1-386/arch/i386/Makefile
Next by Date: Bug#324550: Needs dependency fix [linux-image-2.6.12-1-686: install fails with "cannot stat `(0xffffe000)': No such file or directory"]
Previous by thread: Re: CAN-2005-2555: 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability
Next by thread: Bug#324351: initrd-tools: /etc/mkinitrd/scripts files not executed if files contain a "."
Index(es):
- Date
- Thread