pending stable kernel security updates
Tim Gardner
tcanonical at tpi.com
Fri Jun 27 19:47:31 UTC 2008
Kees Cook wrote:
> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
>> Hello! I've got more pending kernel updates waiting in the
>> ubuntu-security git trees now:
>
> Here's an update, given the 4 recently-public CVEs. Current state of
> the CVEs, where "pending" means the fix is in the corresponding
> ubuntu-security git repo:
>
> dapper feisty gutsy hardy
> CVE-2007-6282 pending pending pending pending
> CVE-2007-6712 not-affected pending pending not-affected
> CVE-2008-0598 needs-triage needs-triage needs-triage not-affected
> CVE-2008-1615 pending pending pending pending
> CVE-2008-1673 pending pending pending pending
> CVE-2008-2136 pending pending pending pending
> CVE-2008-2137 pending pending pending pending
> CVE-2008-2148 not-affected not-affected pending pending
> CVE-2008-2358 not-affected pending pending pending
> CVE-2008-2372 not-affected not-affected not-affected needed
> CVE-2008-2729 pending not-affected not-affected not-affected
> CVE-2008-2750 not-affected not-affected not-affected pending
> CVE-2008-2826 pending pending pending pending
>
> I will likely ignore CVE-2008-2372, as I don't think it's actually a
> vulnerability. What I now need help with is CVE-2008-0598 and
> CVE-2008-2729. The changes are pretty different from release to
> release. Looking at other vendor's patches just make me feel even less
> secure about doing the merges myself. I think I have CVE-2008-2729
> sorted out, but I'd to have the commit I used double-checked.
>
> CVE-2008-0598
> http://lkml.org/lkml/diff/2008/6/25/157/1
> and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f
>
> Thanks guys,
>
> -Kees
>
Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from:
git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master
git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master
git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master
CVE-2008-2729 is kind of related, but different. Some of the symptoms
appear similar. Backporting the copy_user assembler is going to be quite
difficult. However, it has yet to land upstream.
rtg
--
Tim Gardner tim.gardner at ubuntu.com
More information about the kernel-team
mailing list