Bug#624605: Potential fixes for lenny from stable 2.6.27.59
Package: linux-2.6
Version: 2.6.26-26lenny2
Severity: normal
We might as well get some benefit from these backports:
001/173 USB: EHCI: ASPM quirk of ISOC on AMD SB800
002/173 rt2x00: add device id for windy31 usb device
003/173 hwmon: (via686a) Initialize fan_div values
004/173 USB: usb-storage: unusual_devs entry for CamSport Evo
005/173 USB: EHCI: ASPM quirk of ISOC on AMD Hudson
006/173 USB: EHCI: fix DMA deallocation bug
007/173 USB: g_printer: fix bug in module parameter definitions
008/173 USB: io_edgeport: fix the reported firmware major and minor
009/173 USB: ti_usb: fix module removal
010/173 USB: Storage: Add unusual_devs entry for VTech Kidizoom
011/173 USB: prevent buggy hubs from crashing the USB stack
Not important enough.
012/173 [SCSI] fix medium error problems with some arrays which can cause data corruption
Fixes data loss.
013/173 [SCSI] libsas: fix runaway error handler problem
014/173 [media] radio-aimslab.c: Fix gcc 4.5+ bug
015/173 ALSA : au88x0 - Limit number of channels to fix Oops via OSS emu
016/173 Input: i8042 - introduce 'notimeout' blacklist for Dell Vostro V13
Not important enough.
017/173 NFS: Fix "kernel BUG at fs/aio.c:554!"
Might fix local DoS or data loss?
018/173 rapidio: fix hang on RapidIO doorbell queue full condition
019/173 serial: unbreak billionton CF card
Not important enough.
020/173 ptrace: use safer wake up on ptrace_detach()
Fixes local DoS.
021/173 fix jiffy calculations in calibrate_delay_direct to handle overflow
022/173 USB: serial: pl2303: Hybrid reader Uniform HCR331
023/173 drivers: update to pl2303 usb-serial to support Motorola cables
024/173 powerpc: Fix some 6xx/7xxx CPU setup functions
025/173 parisc: pass through '\t' to early (iodc) console
026/173 parisc : Remove broken line wrapping handling pdc_iodc_print()
027/173 hostap_cs: fix sleeping function called from invalid context
Not important enough.
028/173 md: fix regression with re-adding devices to arrays with no metadata
Not applicable.
029/173 [rejected]
030/173 TPM: Long default timeout fix
031/173 drm/radeon: remove 0x4243 pci id
Not important enough.
032/173 x86, mm: avoid possible bogus tlb entries by clearing prev mm_cpumask after switching mm
Fixes data loss.
033/173 NFSD: memory corruption due to writing beyond the stat array
Fixes data loss.
034/173 sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
Already applied; CVE-2010-3705.
035/173 ocfs2_connection_find() returns pointer to bad structure
Might fix a security vulnerability.
036/173 Fix pktcdvd ioctl dev_minor range check
Already applied; CVE-2010-3437.
037/173 filter: make sure filters dont read uninitialized memory
Already applied; CVE-2010-4158.
038/173 x25: decrement netdev reference counts on unload
Not important enough.
039/173 [rejected]
040/173 [media] [v3,media] av7110: check for negative array offset
Already applied; CVE-2011-0521.
041/173 NFS: fix the return value of nfs_file_fsync()
Not applicable.
042/173 isdn: hisax: Replace the bogus access to irq stats
Not important enough.
043/173 dm raid1: fail writes if errors are not handled and log fails
Fixes data loss.
044/173 GFS2: Fix bmap allocation corner-case bug
045/173 sunrpc/cache: fix module refcnt leak in a failure path
Not important enough.
046/173 tcp: Increase TCP_MAXSEG socket option minimum.
047/173 tcp: Make TCP_MAXSEG minimum more correct.
Fixes local DoS; CVE-2010-4165.
048/173 nfsd: correctly handle return value from nfsd_map_name_to_*
Not applicable.
049/173 s390: remove task_show_regs
Already applied; CVE-2011-0710.
050/173 fs/partitions: Validate map_count in Mac partition tables
Already applied; CVE-2011-1010.
051/173 [media] radio-aimslab.c needs #include <linux/delay.h>
052/173 ARM: Ensure predictable endian state on signal handler entry
Not important enough.
053/173 platform: x86: asus_acpi: world-writable procfs files
054/173 [rejected]
055/173 platform: x86: acer-wmi: world-writable sysfs threeg file
056/173 platform: x86: tc1100-wmi: world-writable sysfs wireless and jogdial files
Probably fix local DoS.
057/173 genirq: Disable the SHIRQ_DEBUG call in request_threaded_irq for now
058/173 usb: musb: omap2430: fix kernel panic on reboot
Not important enough.
059/173 ldm: corrupted partition table can cause kernel oops
Already applied; CVE-2011-1012.
060/173 md: correctly handle probe of an 'mdp' device.
Not important enough.
061/173 x25: Do not reference freed memory.
Possibly fixes local DoS.
062/173 mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo
063/173 x86: Use u32 instead of long to set reset vector back to 0
Not important enough.
064/173 ext2: Fix link count corruption under heavy link+rename load
Fixes possible local DoS or data loss.
065/173 sctp: Fix oops when sending queued ASCONF chunks
Fixes remote DoS; CVE-2010-1173.
066/173 virtio: set pci bus master enable bit
Required for compatibility as guest in qemu 0.11-0.12.
067/173 dccp: fix oops on Reset after close
Already applied; CVE-2011-1093.
068/173 r8169: disable ASPM
Not important enough.
069/173 usb: iowarrior: don't trust report_size for buffer size
Already applied; CVE-2010-4656.
070/173 [S390] keyboard: integer underflow bug
Fixes local DoS or maybe privilege escalation.
071/173 mm: fix possible cause of a page_mapped BUG
Possibly fixes local DoS.
072/173 powerpc/kdump: CPUs assume the context of the oopsing CPU
073/173 powerpc/kdump: Use chip->shutdown to disable IRQs
074/173 powerpc: Use more accurate limit for first segment memory allocations
075/173 powerpc/pseries: Add hcall to read 4 ptes at a time in real mode
076/173 powerpc/kexec: Speedup kexec hash PTE tear down
077/173 powerpc/crashdump: Do not fail on NULL pointer dereferencing
078/173 powerpc/kexec: Fix orphaned offline CPUs across kexec
079/173 hwmon/f71882fg: Set platform drvdata to NULL later
080/173 libata: no special completion processing for EH commands
081/173 x86: Fix panic when handling "mem={invalid}" param
082/173 ahci: add device IDs for Ibex Peak ahci controllers
083/173 ahci: AHCI and RAID mode SATA patch for Intel Cougar Point DeviceIDs
084/173 ahci: AHCI and RAID mode SATA patch for Intel Patsburg DeviceIDs
085/173 ahci: AHCI mode SATA patch for Intel DH89xxCC DeviceIDs
086/173 ahci: AHCI mode SATA patch for Intel Patsburg SATA RAID controller
Not important enough.
087/173 RDMA/cma: Fix crash in request handlers
088/173 IB/cm: Bump reference count on cm_id before invoking callback
CVE-2011-0695.
089/173 x86, quirk: Fix SB600 revision check
090/173 USB: serial/kobil_sct, fix potential tty NULL dereference
091/173 USB: serial: ch341: add new id
092/173 PCI: add more checking to ICH region quirks
093/173 PCI: do not create quirk I/O regions below PCIBIOS_MIN_IO for ICH
094/173 SUNRPC: Ensure we always run the tk_callback before tk_action
095/173 ext3: Always set dx_node's fake_dirent explicitly.
Not important enough.
096/173 x86: Flush TLB if PGD entry is changed in i386 PAE mode
Fixes possible user-space hang.
097/173 isdn: avoid calling tty_ldisc_flush() in atomic context
098/173 [PARISC] fix per-cpu flag problem in the cpu affinity checkers
099/173 powerpc/kdump: Fix race in kdump shutdown
100/173 powerpc: rtas_flash needs to use rtas_data_buf
101/173 x86, binutils, xen: Fix another wrong size directive
102/173 aio: wake all waiters when destroying ctx
103/173 shmem: let shared anonymous be nonlinear again
Not important enough.
104/173 Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
Fixes CVE-2011-1182.
105/173 ext3: skip orphan cleanup on rocompat fs
Fixes data loss.
106/173 procfs: fix /proc/<pid>/maps heap check
Not important enough.
107/173 proc: protect mm start_code/end_code in /proc/pid/stat
Fixes local information leak that defeats ASLR.
108/173 fbcon: Bugfix soft cursor detection in Tile Blitting
109/173 ehci-hcd: Bug fix: don't set a QH's Halt bit
110/173 USB: uss720 fixup refcount position
111/173 USB: cdc-acm: fix potential null-pointer dereference on disconnect
112/173 Input: xen-kbdfront - advertise either absolute or relative coordinates
113/173 dcdbas: force SMI to happen when expected
114/173 myri10ge: fix rmmod crash
115/173 cciss: fix lost command issue
116/173 sound/oss/opl3: validate voice and channel indexes
117/173 mac80211: initialize sta->last_rx in sta_info_alloc
118/173 [SCSI] ses: show devices for enclosures with no page 7
119/173 [SCSI] ses: Avoid kernel panic when lun 0 is not mapped
Not important enough.
120/173 eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix
Might fix a local DoS?
121/173 Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
Fixes regression in 104/173.
122/173 xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
Already applied; CVE-2011-0711.
123/173 irda: validate peer name and attribute lengths
Fixes remote privilege escalation.
124/173 irda: prevent heap corruption on invalid nickname
Fixes local privilege escalation.
125/173 ASoC: Explicitly say registerless widgets have no register
126/173 ALSA: ens1371: fix Creative Ectiva support
Not important enough.
127/173 ROSE: prevent heap corruption with bad facilities
CVE-2011-1493.
128/173 UBIFS: do not read flash unnecessarily
129/173 UBIFS: fix oops on error path in read_pnode
130/173 quota: Don't write quota info in dquot_commit()
Not important enough
131/173 mm: avoid wrapping vm_pgoff in mremap()
Fixes local DoS.
132/173 Bluetooth: sco: fix information leak to userspace
Already applied; CVE-2011-1078.
133/173 bridge: netfilter: fix information leak
Already applied; CVE-2011-1080.
134/173 Bluetooth: bnep: fix buffer overflow
Already applied; CVE-2011-1079.
135/173 Bluetooth: add support for Apple MacBook Pro 8,2
Not important enough.
136/173 Treat writes as new when holes span across page boundaries
Fixes data loss.
137/173 char/tpm: Fix unitialized usage of data buffer
Not important enough.
138/173 netfilter: ip_tables: fix infoleak to userspace
Already applied; CVE-2011-1171.
139/173 netfilter: arp_tables: fix infoleak to userspace
Already applied; CVE-2011-1170.
140/173 netfilter: ipt_CLUSTERIP: fix buffer overflow
Not a real buffer overflow; not really important.
141/173 ipv6: netfilter: ip6_tables: fix infoleak to userspace
Already applied; CVE-2011-1172.
142/173 drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file
Fixes local DoS.
143/173 econet: 4 byte infoleak to the network
Already applied; CVE-2011-1173.
144/173 sound/oss: remove offset from load_patch callbacks
145/173 sound: oss: midi_synth: check get_user() return value
146/173 repair gdbstub to match the gdbserial protocol specification
147/173 powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code
148/173 powerpc: Fix default_machine_crash_shutdown #ifdef botch
Not important enough.
149/173 sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set
Fixes local DoS.
150/173 net: ax25: fix information leak to userland
Already applied; CVE-2010-3875.
151/173 net: packet: fix information leak to userland
Already applied; CVE-2010-3876.
152/173 ext4: fix credits computing for indirect mapped files
Fixes data loss. Maybe not important as ext4 was considered
experimental in lenny.
153/173 nfsd: fix auth_domain reference leak on nlm operations
Probably fixes remote DoS.
154/173 net: tipc: fix information leak to userland
Already applied; CVE-2010-3877.
155/173 inet_diag: Make sure we actually run the same bytecode we audited.
Already applied; CVE-2010-3880.
156/173 econet: Fix crash in aun_incoming().
Already applied; CVE-2010-4342.
157/173 irda: prevent integer underflow in IRLMP_ENUMDEVICES
Already applied; CVE-2010-4529.
158/173 CAN: Use inode instead of kernel address for /proc file
Already applied; CVE-2010-4565.
159/173 exec: make argv/envp memory visible to oom-killer
160/173 exec: copy-and-paste the fixes into compat_do_execve() paths
Already applied; CVE-2010-4243.
161/173 xfs: zero proper structure size for geometry calls
Already applied; fixes regression in 122/173.
162/173 [media] video: sn9c102: world-wirtable sysfs files
Fixes local DoS.
163/173 x86: Fix a bogus unwind annotation in lib/semaphore_32.S
164/173 [IA64] tioca: Fix assignment from incompatible pointer warnings
165/173 nommu: ramfs: pages allocated to an inode's pagecache may get wrongly discarded
166/173 MAINTAINERS: update STABLE BRANCH info
167/173 UBIFS: fix oops when R/O file-system is fsync'ed
Not important enough.
168/173 next_pidmap: fix overflow condition
Fixes local DoS or information leak?
169/173 proc: do proper range check on readdir offset
Fixes local DoS or information leak?
170/173 USB: EHCI: unlink unused QHs when the controller is stopped
Not important enough.
171/173 net: ax25: fix information leak to userland harder
Fixes local information leak.
172/173 net: Fix oops from tcp_collapse() when using splice()
Fixes local DoS.
173/173 [SCSI] mptsas: fix hangs caused by ATA pass-through
Not important enough.
Ben.
Reply to: