planned 2.6.35.x -stable release for critical x86-64 vulnerabilities ?

planned 2.6.35.x -stable release for critical x86-64 vulnerabilities ?

[Mathieu Desnoyers]

Hi Greg,

Sorry to have to ask this, but I was wondering about the ETA for the next round
of -stable releases including fixes for the following bugs that seems to be
actively exploited in the wild
(http://blog.iweb.com/en/2010/09/64bits-linux-important-security-vulnerability-identified/5437.html
http://isc.sans.edu/diary.html?storyid=9574):

CVE-2010-3081 (fixed by upstream
commit c41d68a513c71e35a14f66d71782d27a79a81ea6)
"compat: Make compat_alloc_user_space() incorporate the access_ok()"

and
CVE-2010-3301 (fixed by upstream
commit 36d001c70d8a0144ac1d038f6876c484849a74de
"x86-64, compat: Test %rax for the syscall number, not %eax"
and
commit
commit eefdca043e8391dcd719711716492063030b55ac
"x86-64, compat: Retruncate rax after ia32 syscall entry tracing")

I'd like to rebase the LTTng tree on top of -stable as soon as it incorporates
these fixes. I could just pull the fixes in my own tree, but this would be
duplicated effort.

Again, sorry for the hassle, but I feel these bugs require immediate attention.

Thanks,

Mathieu

-- 
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com

Re: planned 2.6.35.x -stable release for critical x86-64 vulnerabilities ?

[Greg KH]

On Mon, Sep 20, 2010 at 12:53:20PM -0400, Mathieu Desnoyers wrote:
> Hi Greg,
> 
> Sorry to have to ask this, but I was wondering about the ETA for the next round
> of -stable releases including fixes for the following bugs that seems to be
> actively exploited in the wild
> (http://blog.iweb.com/en/2010/09/64bits-linux-important-security-vulnerability-identified/5437.html
> http://isc.sans.edu/diary.html?storyid=9574):
> 
> CVE-2010-3081 (fixed by upstream
> commit c41d68a513c71e35a14f66d71782d27a79a81ea6)
> "compat: Make compat_alloc_user_space() incorporate the access_ok()"
> 
> and
> CVE-2010-3301 (fixed by upstream
> commit 36d001c70d8a0144ac1d038f6876c484849a74de
> "x86-64, compat: Test %rax for the syscall number, not %eax"
> and
> commit
> commit eefdca043e8391dcd719711716492063030b55ac
> "x86-64, compat: Retruncate rax after ia32 syscall entry tracing")
> 
> I'd like to rebase the LTTng tree on top of -stable as soon as it incorporates
> these fixes. I could just pull the fixes in my own tree, but this would be
> duplicated effort.
> 
> Again, sorry for the hassle, but I feel these bugs require immediate attention.

Does NOBODY frickin read my -rc stable announcements?  This is only the
8th email today that I've gotten about this issue.

{sigh}

I don't know why I even bother at times...

Sorry, I don't mean to take it out on you, but please people, at least
do some basic searching.  Like look at the -stable queue git tree which
shows that a -rc has been released and is under review, or look at the
lkml traffic, or, subscribe to the stable-review mailing list or look at
its archives.

greg k-h

Re: planned 2.6.35.x -stable release for critical x86-64 vulnerabilities ?

[Mathieu Desnoyers]

* Greg KH (gregkh@suse.de) wrote:
> On Mon, Sep 20, 2010 at 12:53:20PM -0400, Mathieu Desnoyers wrote:
> > Hi Greg,
> > 
> > Sorry to have to ask this, but I was wondering about the ETA for the next round
> > of -stable releases including fixes for the following bugs that seems to be
> > actively exploited in the wild
> > (http://blog.iweb.com/en/2010/09/64bits-linux-important-security-vulnerability-identified/5437.html
> > http://isc.sans.edu/diary.html?storyid=9574):
> > 
> > CVE-2010-3081 (fixed by upstream
> > commit c41d68a513c71e35a14f66d71782d27a79a81ea6)
> > "compat: Make compat_alloc_user_space() incorporate the access_ok()"
> > 
> > and
> > CVE-2010-3301 (fixed by upstream
> > commit 36d001c70d8a0144ac1d038f6876c484849a74de
> > "x86-64, compat: Test %rax for the syscall number, not %eax"
> > and
> > commit
> > commit eefdca043e8391dcd719711716492063030b55ac
> > "x86-64, compat: Retruncate rax after ia32 syscall entry tracing")
> > 
> > I'd like to rebase the LTTng tree on top of -stable as soon as it incorporates
> > these fixes. I could just pull the fixes in my own tree, but this would be
> > duplicated effort.
> > 
> > Again, sorry for the hassle, but I feel these bugs require immediate attention.
> 
> Does NOBODY frickin read my -rc stable announcements?  This is only the
> 8th email today that I've gotten about this issue.
> 
> {sigh}
> 
> I don't know why I even bother at times...
> 
> Sorry, I don't mean to take it out on you, but please people, at least
> do some basic searching.  Like look at the -stable queue git tree which
> shows that a -rc has been released and is under review, or look at the
> lkml traffic, or, subscribe to the stable-review mailing list or look at
> its archives.

I did look at the stable-queue.git tree, and did not find anything about 2.6.35.
The tree only specify "start .27/.32 review cycle". Nothing about .35. This is
why I thought it was appropriate to email you about 2.6.35.x.

I'll also read the -rc stable announcements next time, point taken.

Thanks,

Mathieu

-- 
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com

Re: planned 2.6.35.x -stable release for critical x86-64 vulnerabilities ?

[Greg KH]

On Mon, Sep 20, 2010 at 01:38:41PM -0400, Mathieu Desnoyers wrote:
> * Greg KH (gregkh@suse.de) wrote:
> > On Mon, Sep 20, 2010 at 12:53:20PM -0400, Mathieu Desnoyers wrote:
> > > Hi Greg,
> > > 
> > > Sorry to have to ask this, but I was wondering about the ETA for the next round
> > > of -stable releases including fixes for the following bugs that seems to be
> > > actively exploited in the wild
> > > (http://blog.iweb.com/en/2010/09/64bits-linux-important-security-vulnerability-identified/5437.html
> > > http://isc.sans.edu/diary.html?storyid=9574):
> > > 
> > > CVE-2010-3081 (fixed by upstream
> > > commit c41d68a513c71e35a14f66d71782d27a79a81ea6)
> > > "compat: Make compat_alloc_user_space() incorporate the access_ok()"
> > > 
> > > and
> > > CVE-2010-3301 (fixed by upstream
> > > commit 36d001c70d8a0144ac1d038f6876c484849a74de
> > > "x86-64, compat: Test %rax for the syscall number, not %eax"
> > > and
> > > commit
> > > commit eefdca043e8391dcd719711716492063030b55ac
> > > "x86-64, compat: Retruncate rax after ia32 syscall entry tracing")
> > > 
> > > I'd like to rebase the LTTng tree on top of -stable as soon as it incorporates
> > > these fixes. I could just pull the fixes in my own tree, but this would be
> > > duplicated effort.
> > > 
> > > Again, sorry for the hassle, but I feel these bugs require immediate attention.
> > 
> > Does NOBODY frickin read my -rc stable announcements?  This is only the
> > 8th email today that I've gotten about this issue.
> > 
> > {sigh}
> > 
> > I don't know why I even bother at times...
> > 
> > Sorry, I don't mean to take it out on you, but please people, at least
> > do some basic searching.  Like look at the -stable queue git tree which
> > shows that a -rc has been released and is under review, or look at the
> > lkml traffic, or, subscribe to the stable-review mailing list or look at
> > its archives.
> 
> I did look at the stable-queue.git tree, and did not find anything about 2.6.35.
> The tree only specify "start .27/.32 review cycle". Nothing about .35. This is
> why I thought it was appropriate to email you about 2.6.35.x.

Ah, sorry, I forgot to move the .35 tree in the queue quilt series, my
mistake.  It's now done and pushed out.

thanks,

greg k-h