Linux-2.4.31-hf3 (SECURITY)

From: Willy Tarreau
Date: Wed Jul 27 2005 - 17:44:28 EST

Next message: Nick Sillik: "net/ipv4/netfilter/ip_conntrack_core.c fix -Wundef error"
Previous message: Lee Revell: "Re: 2.6.12: no sound on SPDIF with emu10k1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

due to a recent vulnerability discovered in zlib (CAN-2005-1849), here's a
new set of hotfixes for stable kernels 2.4 :

- 2.4.31-hf3
- 2.4.30-hf6
- 2.4.29-hf13

The zlib vulnerability has been shown to be able to segfault gunzip with a
specially crafted input stream ; it is expected that the kernel may crash if
zlib users such as PPP or zisofs were targetted.

Aside that, the correct version of Davem's netlink hashing fix has been
merged, as well as 2 other minor patches.

Changelog appended, and updates available at the usual URL below. Naturally,
upgrade is recommended.

http://linux.exosec.net/kernel/2.4-hf/

Only build of 2.4.31-hf3 with full modules has been tested. Grant will
probably update his more complete build/test reports there soon :

http://scatter.mine.nu/linux-2.4-hotfix/

Regards
Willy

--

Changelog From 2.4.31-hf2 to 2.4.31-hf3 (semi-automated)
---------------------------------------
'+' = added ; '-' = removed

+ 2.4.31-zlib-security-bugs-1 (Tim Yamin)

Fix outstanding security bugs in the Linux zlib implementations. See:
a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
b) http://bugs.gentoo.org/show_bug.cgi?id=94584

+ 2.4.31-ip_vs_conn_tab-race-1 (Neil Horman)

[IPVS]: Close race conditions on ip_vs_conn_tab list modification.
In an smp system, it is possible for an connection timer to expire,
calling ip_vs_conn_expire while the connection table is being flushed,
before ct_write_lock_bh is acquired. (...) The result is that the next
pointer gets set to NULL, and subsequently dereferenced, resulting in
an oops.

+ 2.4.31-inode-cache-smp-races-1 (Larry Woodman)

[PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races

Over the past couple of weeks we have seen two races in the inode cache
code. The first is between [dispose_list()] and __refile_inode() and the
second is between prune_icache() and truncate_inodes(). Fixes bug 155289.

+ 2.4.31-netlink-socket-hashing-bugs-2 (David S. Miller)

[NETLINK]: Fix two socket hashing bugs.
netlink_release() should only decrement the hash entry count if the
socket was actually hashed. netlink_autobind() needs to propagate
the error return from netlink_insert(). Otherwise, callers will not
see the error as they should and thus try to operate on a socket
with a zero pid, which is very bad. Thanks to Jakub Jelinek for
providing backtraces, and Herbert Xu for debugging patches to help
track this down.

+ 2.4.31-sparc64-sys32_utimes-random-timestamps-1 (Jakub Bogusz)

[SPARC64]: fix sys32_utimes(somefile, NULL)

This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with
32-bit userland - use of uninitialized value resulted in making random
timestamps, which confused e.g. sudo. It has been already fixed (by davem)
in linux-2.6 tree 30 months ago.

-- END --
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nick Sillik: "net/ipv4/netfilter/ip_conntrack_core.c fix -Wundef error"
Previous message: Lee Revell: "Re: 2.6.12: no sound on SPDIF with emu10k1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]