pending stable kernel security updates

Tim Gardner tcanonical at tpi.com
Wed Jul 2 13:21:53 UTC 2008 

Tim Gardner wrote:
> Kees Cook wrote:
>> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
>>> Hello!  I've got more pending kernel updates waiting in the
>>> ubuntu-security git trees now:
>> Here's an update, given the 4 recently-public CVEs.  Current state of
>> the CVEs, where "pending" means the fix is in the corresponding
>> ubuntu-security git repo:
>>
>>                        dapper         feisty          gutsy          hardy
>> CVE-2007-6282         pending        pending        pending        pending
>> CVE-2007-6712    not-affected        pending        pending   not-affected
>> CVE-2008-0598    needs-triage   needs-triage   needs-triage   not-affected
>> CVE-2008-1615         pending        pending        pending        pending
>> CVE-2008-1673         pending        pending        pending        pending
>> CVE-2008-2136         pending        pending        pending        pending
>> CVE-2008-2137         pending        pending        pending        pending
>> CVE-2008-2148    not-affected   not-affected        pending        pending
>> CVE-2008-2358    not-affected        pending        pending        pending
>> CVE-2008-2372    not-affected   not-affected   not-affected         needed
>> CVE-2008-2729         pending   not-affected   not-affected   not-affected
>> CVE-2008-2750    not-affected   not-affected   not-affected        pending
>> CVE-2008-2826         pending        pending        pending        pending
>>
>> I will likely ignore CVE-2008-2372, as I don't think it's actually a
>> vulnerability.  What I now need help with is CVE-2008-0598 and
>> CVE-2008-2729.  The changes are pretty different from release to
>> release.  Looking at other vendor's patches just make me feel even less
>> secure about doing the merges myself.  I think I have CVE-2008-2729
>> sorted out, but I'd to have the commit I used double-checked.
>>
>> CVE-2008-0598
>>     http://lkml.org/lkml/diff/2008/6/25/157/1
>>     and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f
>>
>> Thanks guys,
>>
>> -Kees
>>
> 
> Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from:
> 
> git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master
> git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master
> git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master
> 
> CVE-2008-2729 is kind of related, but different. Some of the symptoms
> appear similar. Backporting the copy_user assembler is going to be quite
> difficult. However, it has yet to land upstream.
> 
> rtg

Kees - Please pull from

git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-dapper master
git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-feisty master
git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-gutsy master
git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-hardy master

These are the fully packaged versions with correct changelog and ABI
files. The corresponding i386 and amd64 binary packages can be found at
chinstrap.canonical.com:~rtg/kern/security.

If your boot and regression tests prove successful, then I think these
security updates are ready to be uploaded.

rtg
-- 
Tim Gardner tim.gardner at ubuntu.com

More information about the kernel-team mailing list