* Patch for CVE-2004-1334 ??? @ 2006-01-23 17:39 Syed Ahemed 2006-01-23 18:14 ` Diego Calleja 2006-01-23 22:31 ` Willy Tarreau 0 siblings, 2 replies; 7+ messages in thread From: Syed Ahemed @ 2006-01-23 17:39 UTC (permalink / raw) To: linux-kernel Hi I do know this community is busy with more important things , but i am out of ideas/search on this one. How do i get the patch for the CVE-2004-1334 ? I have an opensource linux 2.4.28 on my production server. If you think this question is stupid enough , then i would eventually write a patch for this .The trouble i have is on applying the patch cos my understanding of GPL is pretty confusing. Please point me to the patch for the above . Regards King khan ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for CVE-2004-1334 ??? 2006-01-23 17:39 Patch for CVE-2004-1334 ??? Syed Ahemed @ 2006-01-23 18:14 ` Diego Calleja 2006-01-25 8:56 ` Syed Ahemed 2006-01-23 22:31 ` Willy Tarreau 1 sibling, 1 reply; 7+ messages in thread From: Diego Calleja @ 2006-01-23 18:14 UTC (permalink / raw) To: Syed Ahemed; +Cc: linux-kernel El Mon, 23 Jan 2006 23:09:49 +0530, Syed Ahemed <kingkhan@gmail.com> escribió: > Hi > I do know this community is busy with more important things , but i am > out of ideas/search on this one. > How do i get the patch for the CVE-2004-1334 ? I have an opensource Well, 2.4.32 fixes that bug and many others security. Any reason why you aren't using the latest version. You can find links to the changesets in the original security advisory from guninski (easy to find in google) ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for CVE-2004-1334 ??? 2006-01-23 18:14 ` Diego Calleja @ 2006-01-25 8:56 ` Syed Ahemed 2006-01-25 22:09 ` Willy Tarreau 0 siblings, 1 reply; 7+ messages in thread From: Syed Ahemed @ 2006-01-25 8:56 UTC (permalink / raw) To: Diego Calleja; +Cc: linux-kernel The simple reason we do not intend to use the latest version is we run some third party software which cant be front ported (pardon the slang ) to 2.4.29 and above. As for the changeset by guninski , i wish to ask about a one point source of applying all the patches for 2.4.28 .I mean shouldn't all the kernel security patches ( atleast the ones that have become CVE's) be a part of kernel.org .Since there isn't any what is the reason ? I dont want to go to Gentoo for one patch , red hat for another ....and GOD knows how many sites . Torvalds is the GOD of open source , but am i asking for too much :-) On 1/23/06, Diego Calleja <diegocg@gmail.com> wrote: > El Mon, 23 Jan 2006 23:09:49 +0530, > Syed Ahemed <kingkhan@gmail.com> escribió: > > > Hi > > I do know this community is busy with more important things , but i am > > out of ideas/search on this one. > > How do i get the patch for the CVE-2004-1334 ? I have an opensource > > Well, 2.4.32 fixes that bug and many others security. Any reason why you > aren't using the latest version. > > You can find links to the changesets in the original security advisory > from guninski (easy to find in google) > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for CVE-2004-1334 ??? 2006-01-25 8:56 ` Syed Ahemed @ 2006-01-25 22:09 ` Willy Tarreau 2006-01-26 12:27 ` Syed Ahemed 0 siblings, 1 reply; 7+ messages in thread From: Willy Tarreau @ 2006-01-25 22:09 UTC (permalink / raw) To: Syed Ahemed; +Cc: Diego Calleja, linux-kernel On Wed, Jan 25, 2006 at 02:26:51PM +0530, Syed Ahemed wrote: > The simple reason we do not intend to use the latest version is we run > some third party software which cant be front ported (pardon the slang > ) to 2.4.29 and above. > As for the changeset by guninski , i wish to ask about a one point > source of applying all the patches for 2.4.28 .I mean shouldn't all > the kernel security patches ( atleast the ones that have become CVE's) > be a part of kernel.org .Since there isn't any what is the reason ? It's even more work for the person doing it. Maintaining the hotfixes from 2.4.29 already takes me some time (not much more for 4 versions than for one, what takes the most time is merging the patches, compiling and releasing). > I dont want to go to Gentoo for one patch , red hat for another > ....and GOD knows how many sites . > Torvalds is the GOD of open source , but am i asking for too much :-) I can propose a deal to you. You send me a pointer to the patches that need to be applied to 2.4.28 to make it as secure as 2.4.29, and I can include 2.4.28 in my hotfix tree, so that you'll get regular updates for free. I already have what is needed starting from 2.4.29, you just have to point the 2.4.28-specific patches. It would time consuming for me to review them all, but if someone like you has some interest in it, it should be a win-win for both of us. Simply send me the bkbits.net URLs, I should be able to do the rest. Regards, Willy ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for CVE-2004-1334 ??? 2006-01-25 22:09 ` Willy Tarreau @ 2006-01-26 12:27 ` Syed Ahemed 0 siblings, 0 replies; 7+ messages in thread From: Syed Ahemed @ 2006-01-26 12:27 UTC (permalink / raw) To: Willy Tarreau; +Cc: Diego Calleja, linux-kernel Hi Willy. Thanks a lot for the initiative , This is the brief list of vulnerabilities i am concerned/aware about right now.Will keep looking for patches in the days to come. Please feel free to ask for more help , I am ready to volunteer for the cause of making the open source kernel secure . PS : Let me know the approach to get subsequent updates from you ? 1]http://www.openwall.com/linux/ A] CAN-2004-1235 Linux 2.4.29-ow1 is out. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes, including to the x86/SMP page fault handler (CAN-2005-0001) and the uselib(2) (CAN-2004-1235) race conditions, both discovered by Paul Starzetz. The potential of these bugs is a local root compromise. The uselib(2) bug does not affect default builds of Linux kernels with the Openwall patch applied since the vulnerable code is only compiled in if one explicitly enables CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch. 2] Same as above [CAN-2004-12345 but just fixes the uselib vulnerabilty , I dont know again which one to pick http://kerneltrap.org/node/4503 Marcelo Tosatti [interview] released the 2.4.29-rc1 Linux kernel with "a SATA update [and a] bunch of network driver updates". He went on to note, "more importantly it fixes a sys_uselib() vulnerability discovered by Paul Starzetz". He adds, "[upgrading] is recommended for users of v2.4.x mainline, distros should be releasing their updates real soon now." The vulnerability allows local users to gain root privileges: 3] CAN-2004-1334 http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html http://linux.bkbits.net:8080/linux-2.4/cset@41b76e94BsJKm8jhVtyDat9ZM1dXXg http://linux.bkbits.net:8080/linux-2.4/cset@41b766beodCDEFPbjDRLoUUUxw4Z6w http://linux.bkbits.net:8080/linux-2.4/cset@41b77314ZtyUzWzZFzaCRGoQc6hKcw http://linux.bkbits.net:8080/linux-2.4/cset@41c01f2bHFmPwBYQmce6Aw0owIyqkg 4] CAN-2004-1016 https://lwn.net/Articles/115726/ Thanks King Khan On 1/26/06, Willy Tarreau <willy@w.ods.org> wrote: > On Wed, Jan 25, 2006 at 02:26:51PM +0530, Syed Ahemed wrote: > > The simple reason we do not intend to use the latest version is we run > > some third party software which cant be front ported (pardon the slang > > ) to 2.4.29 and above. > > As for the changeset by guninski , i wish to ask about a one point > > source of applying all the patches for 2.4.28 .I mean shouldn't all > > the kernel security patches ( atleast the ones that have become CVE's) > > be a part of kernel.org .Since there isn't any what is the reason ? > > It's even more work for the person doing it. Maintaining the hotfixes > from 2.4.29 already takes me some time (not much more for 4 versions > than for one, what takes the most time is merging the patches, compiling > and releasing). > > > I dont want to go to Gentoo for one patch , red hat for another > > ....and GOD knows how many sites . > > Torvalds is the GOD of open source , but am i asking for too much :-) > > I can propose a deal to you. You send me a pointer to the patches that > need to be applied to 2.4.28 to make it as secure as 2.4.29, and I can > include 2.4.28 in my hotfix tree, so that you'll get regular updates > for free. I already have what is needed starting from 2.4.29, you just > have to point the 2.4.28-specific patches. It would time consuming for > me to review them all, but if someone like you has some interest in it, > it should be a win-win for both of us. > > Simply send me the bkbits.net URLs, I should be able to do the rest. > > Regards, > Willy > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Patch for CVE-2004-1334 ??? 2006-01-23 17:39 Patch for CVE-2004-1334 ??? Syed Ahemed 2006-01-23 18:14 ` Diego Calleja @ 2006-01-23 22:31 ` Willy Tarreau 1 sibling, 0 replies; 7+ messages in thread From: Willy Tarreau @ 2006-01-23 22:31 UTC (permalink / raw) To: Syed Ahemed; +Cc: linux-kernel Hi, On Mon, Jan 23, 2006 at 11:09:49PM +0530, Syed Ahemed wrote: > Hi > I do know this community is busy with more important things , but i am > out of ideas/search on this one. > How do i get the patch for the CVE-2004-1334 ? I have an opensource > linux 2.4.28 on my production server. I'm afraid 2.4-hf does not go that far backwards, it started at 2.4.29. Git started even later. I've searched through http://linux.bkbits.net/ and I think that what you're looking for is here : http://linux.bkbits.net:8080/linux-2.4/gnupatch@41b76e94BsJKm8jhVtyDat9ZM1dXXg > If you think this question is stupid enough , then i would eventually > write a patch for this .The trouble i have is on applying the patch > cos my understanding of GPL is pretty confusing. You don't have to worry, unless explicitly stated otherwise, patches follow the same licence as the code they're for. So basically you can apply a kernel patch from any other version to your kernel, and if you know how to fix the bug by yourself (dangerous), that's fine too. > Please point me to the patch for the above . Please check above. > Regards > King khan Regards, Willy ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <5ydZz-2G1-7@gated-at.bofh.it>]
[parent not found: <5yetg-3us-31@gated-at.bofh.it>]
[parent not found: <5yOFI-5CN-19@gated-at.bofh.it>]
* Re: Patch for CVE-2004-1334 ??? [not found] ` <5yOFI-5CN-19@gated-at.bofh.it> @ 2006-01-25 14:43 ` Robert Hancock 0 siblings, 0 replies; 7+ messages in thread From: Robert Hancock @ 2006-01-25 14:43 UTC (permalink / raw) To: linux-kernel Syed Ahemed wrote: > The simple reason we do not intend to use the latest version is we run > some third party software which cant be front ported (pardon the slang > ) to 2.4.29 and above. > As for the changeset by guninski , i wish to ask about a one point > source of applying all the patches for 2.4.28 .I mean shouldn't all > the kernel security patches ( atleast the ones that have become CVE's) > be a part of kernel.org .Since there isn't any what is the reason ? It is "part of kernel.org", it's called 2.4.32. The kernel developers can hardly be expected to release a patch for every vulnerability against every possible kernel version ever released.. If you need guaranteed security patches against a specific version of the kernel you should likely be using a distribution kernel and not a vanilla kernel. -- Robert Hancock Saskatoon, SK, Canada To email, remove "nospam" from hancockr@nospamshaw.ca Home Page: http://www.roberthancock.com/ ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-01-26 12:27 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2006-01-23 17:39 Patch for CVE-2004-1334 ??? Syed Ahemed 2006-01-23 18:14 ` Diego Calleja 2006-01-25 8:56 ` Syed Ahemed 2006-01-25 22:09 ` Willy Tarreau 2006-01-26 12:27 ` Syed Ahemed 2006-01-23 22:31 ` Willy Tarreau [not found] <5ydZz-2G1-7@gated-at.bofh.it> [not found] ` <5yetg-3us-31@gated-at.bofh.it> [not found] ` <5yOFI-5CN-19@gated-at.bofh.it> 2006-01-25 14:43 ` Robert Hancock
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).