pending stable kernel security updates

Tim Gardner tcanonical at tpi.com
Fri Jun 27 19:47:31 UTC 2008 

Kees Cook wrote:
> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
>> Hello!  I've got more pending kernel updates waiting in the
>> ubuntu-security git trees now:
> 
> Here's an update, given the 4 recently-public CVEs.  Current state of
> the CVEs, where "pending" means the fix is in the corresponding
> ubuntu-security git repo:
> 
>                        dapper         feisty          gutsy          hardy
> CVE-2007-6282         pending        pending        pending        pending
> CVE-2007-6712    not-affected        pending        pending   not-affected
> CVE-2008-0598    needs-triage   needs-triage   needs-triage   not-affected
> CVE-2008-1615         pending        pending        pending        pending
> CVE-2008-1673         pending        pending        pending        pending
> CVE-2008-2136         pending        pending        pending        pending
> CVE-2008-2137         pending        pending        pending        pending
> CVE-2008-2148    not-affected   not-affected        pending        pending
> CVE-2008-2358    not-affected        pending        pending        pending
> CVE-2008-2372    not-affected   not-affected   not-affected         needed
> CVE-2008-2729         pending   not-affected   not-affected   not-affected
> CVE-2008-2750    not-affected   not-affected   not-affected        pending
> CVE-2008-2826         pending        pending        pending        pending
> 
> I will likely ignore CVE-2008-2372, as I don't think it's actually a
> vulnerability.  What I now need help with is CVE-2008-0598 and
> CVE-2008-2729.  The changes are pretty different from release to
> release.  Looking at other vendor's patches just make me feel even less
> secure about doing the merges myself.  I think I have CVE-2008-2729
> sorted out, but I'd to have the commit I used double-checked.
> 
> CVE-2008-0598
>     http://lkml.org/lkml/diff/2008/6/25/157/1
>     and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f
> 
> Thanks guys,
> 
> -Kees
> 

Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from:

git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master
git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master
git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master

CVE-2008-2729 is kind of related, but different. Some of the symptoms
appear similar. Backporting the copy_user assembler is going to be quite
difficult. However, it has yet to land upstream.

rtg
-- 
Tim Gardner tim.gardner at ubuntu.com

More information about the kernel-team mailing list