Security Patches

Security Patches

[Christoph Pleger]

Hello,

In the last few days I read some security advisories about security
patches for Linux Kernels of the 2.4-series which have been published by
various distributors. 

Does anybody know of a URL where such fixes for the stable Kernel 2.4.21
can be found? The best place would be a place where always actual kernel
security fixes can be found and where, if the patches are already
integrated into the kernel, it contains no other differences from the
stable release.

Thanks
  Christoph

Re: Security Patches

[Marc-Christian Petersen]

On Friday 01 August 2003 16:28, Christoph Pleger wrote:

Hi Christoph,

> In the last few days I read some security advisories about security
> patches for Linux Kernels of the 2.4-series which have been published by
> various distributors.
> Does anybody know of a URL where such fixes for the stable Kernel 2.4.21
> can be found? The best place would be a place where always actual kernel
> security fixes can be found and where, if the patches are already
> integrated into the kernel, it contains no other differences from the
> stable release.
please go to: http://linux.bkbits.net:8080/linux-2.4

and browse the changesets. You should see 1. the security fixes, 2. the 
description and 3. the patch itself.

ciao, Marc

Re: Security Patches

[mdew]

On Sat, 2003-08-02 at 02:36, Marc-Christian Petersen wrote:
> On Friday 01 August 2003 16:28, Christoph Pleger wrote:
> 
> Hi Christoph,
> 
> > In the last few days I read some security advisories about security
> > patches for Linux Kernels of the 2.4-series which have been published by
> > various distributors.
> > Does anybody know of a URL where such fixes for the stable Kernel 2.4.21
> > can be found? The best place would be a place where always actual kernel
> > security fixes can be found and where, if the patches are already
> > integrated into the kernel, it contains no other differences from the
> > stable release.
> please go to: http://linux.bkbits.net:8080/linux-2.4

talking of which, is http://linux.bkbits.net:8080/linux-2.5 dead? a week
with absolutely no changes?


-- 
mdew <mdew@mdew.dyndns.org>

Re: Security Patches

[Christoph Pleger]

On Fri, 1 Aug 2003 16:36:45 +0200
Marc-Christian Petersen <m.c.p@wolk-project.de> wrote:

> On Friday 01 August 2003 16:28, Christoph Pleger wrote:
> 
> Hi Christoph,
> 
> > In the last few days I read some security advisories about security
> > patches for Linux Kernels of the 2.4-series which have been
> > published by various distributors.
> > Does anybody know of a URL where such fixes for the stable Kernel
> > 2.4.21 can be found? The best place would be a place where always
> > actual kernel security fixes can be found and where, if the patches
> > are already integrated into the kernel, it contains no other
> > differences from the stable release.
> please go to: http://linux.bkbits.net:8080/linux-2.4

I tried to load that page several times and always got error 131:
Connection reset by peer.

Christoph

Security patches

[kk s]

[-- Attachment #1.1: Type: text/plain, Size: 1769 bytes --]

Hi,

Can anyone give the patch file download link for the below xen security for
xen version 3.4 and 4.1? Since I couldn't find the downloadable patch file
for some of the CVE's.

CVE-2012-0029 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0029>
- http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html
(There is no download link for both xen 3.4 and 4.1)
CVE-2012-2934 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2934>
- http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html
(There is no patch file to download of xen 3.4)
CVE-2012-3432 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3432>
- http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html
(There is no download link for both xen 3.4 and 4.1)
CVE-2012-3433 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3433>
- http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html
(There is no download link for both xen 3.4 and 4.1)
CVE-2012-3497 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3497>
- http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html
(There is no download link for patch)

Also I have some doubts for the below CVE's.

CVE-2012-3496 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3496>
- Is this vulnerability affected for xen 4.x only or it does include for
xen 3.4 too? Since the patch name was
*xsa14-xen-3.4-and-4.x.patch<http://lists.xen.org/archives/html/xen-announce/2012-09/bin_3Uh1V9Hnc.bin>
*  http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html
CVE-2012-3516 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3516>
- Shall I apply this unstable for patch for xen4.2 too?
http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html

[-- Attachment #1.2: Type: text/html, Size: 3300 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Security patches

[Ian Campbell]

On Thu, 2012-09-06 at 09:31 +0100, kk s wrote:
> Hi,
> 
> Can anyone give the patch file download link for the below xen
> security for xen version 3.4 and 4.1? Since I couldn't find the
> downloadable patch file for some of the CVE's.
> 
> CVE-2012-0029   - http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html  (There is no download link for both xen 3.4 and 4.1)
> CVE-2012-2934   - http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html  (There is no patch file to download of xen 3.4)
> CVE-2012-3432   - http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html  (There is no download link for both xen 3.4 and 4.1)
> CVE-2012-3433   - http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html  (There is no download link for both xen 3.4 and 4.1)

It looks to me like there are changeset references and/or patches for
all of these in the advisories. You might find it easier to follow: 
        http://wiki.xen.org/wiki/Security_Announcements

You can also always look in the appropriate xen-X.Y-testing.hg tree for
the fix.

> CVE-2012-3497   - http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html  (There is no download link for patch)

This is quite clearly explained in the advisory.

> Also I have some doubts for the below CVE's.
> 
> CVE-2012-3496  - Is this vulnerability affected for xen 4.x only or it
> does include for xen 3.4 too? Since the patch name was
> xsa14-xen-3.4-and-4.x.patch
> http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html

Yes, it looks like this effects 3.4 too.

> CVE-2012-3516  - Shall I apply this unstable for patch for xen4.2 too?
> http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html

The advisory says "Xen-unstable, including Xen 4.2 release candidates
are vulnerable to this issue.", so yes, obviously.

In the future please carefully read the advisories before asking lots of
questions, almost everything you have asked is addressed in the advisory
texts AFAICT.

Ian.

Re: Security patches

[kk s]

[-- Attachment #1.1: Type: text/plain, Size: 3005 bytes --]

Hi Ian,

Thanks for your reply. Sorry to bother you with this. I am bit confused and
so I am asking to make clear myself.

Reg CVE-2012-2934 -
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html Is
Xen 3.4 too affected with this vulnerable? If so I couldn't find the patch
for xen 3.4 and it does exit for xen 4.x only.

I don't how to apply the following patches since I have created rpm with
patches applied that included as downloadable file. But for these patches I
am not seeing any downloadable file.

http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html
http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html
http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html

If you can clear this for me that would be great :)

I hope that I am replying in correct way.


On Thu, Sep 6, 2012 at 2:26 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:

> On Thu, 2012-09-06 at 09:31 +0100, kk s wrote:
> > Hi,
> >
> > Can anyone give the patch file download link for the below xen
> > security for xen version 3.4 and 4.1? Since I couldn't find the
> > downloadable patch file for some of the CVE's.
> >
> > CVE-2012-0029   -
> http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html (There is no download link for both xen 3.4 and 4.1)
> > CVE-2012-2934   -
> http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html (There is no patch file to download of xen 3.4)
> > CVE-2012-3432   -
> http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html (There is no download link for both xen 3.4 and 4.1)
> > CVE-2012-3433   -
> http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html (There is no download link for both xen 3.4 and 4.1)
>
> It looks to me like there are changeset references and/or patches for
> all of these in the advisories. You might find it easier to follow:
>         http://wiki.xen.org/wiki/Security_Announcements
>
> You can also always look in the appropriate xen-X.Y-testing.hg tree for
> the fix.
>
> > CVE-2012-3497   -
> http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html (There is no download link for patch)
>
> This is quite clearly explained in the advisory.
>
> > Also I have some doubts for the below CVE's.
> >
> > CVE-2012-3496  - Is this vulnerability affected for xen 4.x only or it
> > does include for xen 3.4 too? Since the patch name was
> > xsa14-xen-3.4-and-4.x.patch
> > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00002.html
>
> Yes, it looks like this effects 3.4 too.
>
> > CVE-2012-3516  - Shall I apply this unstable for patch for xen4.2 too?
> > http://lists.xen.org/archives/html/xen-announce/2012-09/msg00004.html
>
> The advisory says "Xen-unstable, including Xen 4.2 release candidates
> are vulnerable to this issue.", so yes, obviously.
>
> In the future please carefully read the advisories before asking lots of
> questions, almost everything you have asked is addressed in the advisory
> texts AFAICT.
>
> Ian.
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 4914 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Security patches

[Ian Campbell]

On Thu, 2012-09-06 at 10:08 +0100, kk s wrote:
> Hi Ian,
> 
> Thanks for your reply. Sorry to bother you with this. I am bit
> confused and so I am asking to make clear myself.
> 
> Reg CVE-2012-2934 -
> http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html
> Is Xen 3.4 too affected with this vulnerable? If so I couldn't find
> the patch for xen 3.4 and it does exit for xen 4.x only.

I expect it does effect 3.4, but only if you are running on one of the
listed processors.

security@xen.org doesn't provide security support for 3.4 any more. If
you aren't able to backport the 4.0 patch yourself, you would need to
speak to Keith Coleman who is the 3.4 stable maintainer.

> I don't how to apply the following patches since I have created rpm
> with patches applied that included as downloadable file. But for these
> patches I am not seeing any downloadable file.
> 
> http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html
> http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html
> http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html
> 
> If you can clear this for me that would be great :)

I already pointed you at http://wiki.xen.org/wiki/Security_Announcements
which should have all the links you need.

Re: Security patches

[kk s]

[-- Attachment #1.1: Type: text/plain, Size: 2797 bytes --]

Hi,

It looks like the patch that has been provided on Xen Security Advisory 11
(CVE-2012-3433) doesn't applied for Xen 3.4.4.

When I try to apply this patch and I am getting the below error,

1 out of 1 hunk FAILED -- saving rejects to file xen/arch/x86/mm/p2m.c.rej
1 out of 1 hunk FAILED -- saving rejects to file xen/arch/x86/mm/p2m.c.rej

Seems there is no for loop "for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++
)" on xen/arch/x86/mm/p2m.c.rej on xen3.4.4 source instead if loop only
exists.

p2m.c: && (gfn + (1UL << page_order) - 1 > d->arch.p2m->max_mapped_pfn) )
p2m.c: d->arch.p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1;
p2m.c: if ( gfn > d->arch.p2m->max_mapped_pfn )
p2m.c: if ( gfn <= current->domain->arch.p2m->max_mapped_pfn )
p2m.c: if ( test_linear && (gfn <= d->arch.p2m->max_mapped_pfn) )
p2m.c.orig: && (gfn + (1UL << page_order) - 1 >
d->arch.p2m->max_mapped_pfn) )
p2m.c.orig: d->arch.p2m->max_mapped_pfn = gfn + (1UL << page_order) - 1;
p2m.c.orig: if ( gfn > d->arch.p2m->max_mapped_pfn )
p2m.c.orig: if ( gfn <= current->domain->arch.p2m->max_mapped_pfn )
p2m.c.orig: if ( test_linear && (gfn <= d->arch.p2m->max_mapped_pfn) )
p2m.c.rej: for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )
p2m.c.rej: for ( gfn=0; gfn < p2m->max_mapped_pfn; gfn++ )

So I guess this patch applicable for Xen 4.x only. If you update the patch
for Xen 3.4 that would be great.


On Thu, Sep 6, 2012 at 2:43 PM, Ian Campbell <Ian.Campbell@citrix.com>wrote:

> On Thu, 2012-09-06 at 10:08 +0100, kk s wrote:
> > Hi Ian,
> >
> > Thanks for your reply. Sorry to bother you with this. I am bit
> > confused and so I am asking to make clear myself.
> >
> > Reg CVE-2012-2934 -
> > http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html
> > Is Xen 3.4 too affected with this vulnerable? If so I couldn't find
> > the patch for xen 3.4 and it does exit for xen 4.x only.
>
> I expect it does effect 3.4, but only if you are running on one of the
> listed processors.
>
> security@xen.org doesn't provide security support for 3.4 any more. If
> you aren't able to backport the 4.0 patch yourself, you would need to
> speak to Keith Coleman who is the 3.4 stable maintainer.
>
> > I don't how to apply the following patches since I have created rpm
> > with patches applied that included as downloadable file. But for these
> > patches I am not seeing any downloadable file.
> >
> > http://lists.xen.org/archives/html/xen-devel/2012-02/msg00212.html
> > http://lists.xen.org/archives/html/xen-devel/2012-07/msg01649.html
> > http://lists.xen.org/archives/html/xen-devel/2012-08/msg00855.html
> >
> > If you can clear this for me that would be great :)
>
> I already pointed you at http://wiki.xen.org/wiki/Security_Announcements
> which should have all the links you need.
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 4232 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel