diff options
Diffstat (limited to 'tags/2.6.18-11/00000_README')
1 files changed, 334 insertions, 0 deletions
diff --git a/tags/2.6.18-11/00000_README b/tags/2.6.18-11/00000_README
new file mode 100644
index 0000000..7ee89f7
--- /dev/null
+++ b/tags/2.6.18-11/00000_README
@@ -0,0 +1,334 @@
+Xen Patches README
+These patches are intended to be stacked on top of genpatches-base.
+Many of the patches included here are swiped from various sources which
+use their own four digit patch numbering scheme, so we are stuck with five
+digits to indiciate the source for easier tracking and re-syncing.
+0xxxx Gentoo, not related to Xen. (in case we pull something from extras)
+1xxxx XenSource, upstream Xen patch for 2.6.18
+2xxxx Redhat, we use their Xen patch for >=2.6.20
+3xxxx Debian, we use their security fixes for 2.6.18
+5xxxx Gentoo, Xen and other fixes for Redhat and/or Debian patches.
+ Upstream 3.2.0 patch
+ [SECURITY] Fix remotely exploitable NULL pointer dereference in
+ nfulnl_recv_config()
+ See CVE-2007-1496
+ [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
+ which allows remote attackers to bypass certain rulesets
+ See CVE-2007-1497
+ [SECURITY] Fix infinite recursion bug in netlink
+ See CVE-2007-1861
+ Add fix for oops bug added by previous patch
+ [SECURITY] Fix a vulnerability that allows local users to read
+ otherwise unreadable (but executable) files by triggering a core dump.
+ See CVE-2007-0958
+ [SECURITY] Fix a remote DoS (crash) in appletalk
+ Depends upon bugfix/appletalk-endianness-annotations.patch
+ See CVE-2007-1357
+ [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver
+ See CVE-2007-0005
+ [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+ ipv6_fl_socklist between the listening socket and the socket created
+ for connection.
+ See CVE-2007-1592
+ [SECURITY] Fix the key serial number collision avoidance code in
+ key_alloc_serial() that could lead to a local DoS (oops).
+ (closes: #398470)
+ See CVE-2007-0006
+ [SECURITY] Fix kernel memory leak vulnerability in
+ ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
+ See CVE-2007-1000
+ [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
+ to a local DoS (oops).
+ See CVE-2007-1388
+ [SECURITY] Avoid a remote DoS (network amplification between two routers)
+ by disabling type0 IPv6 route headers by default. Can be re-enabled via
+ a sysctl interface. Thanks to Vlad Yasevich for porting help.
+ [SECURITY] Fix userspace corruption vulnerability caused by
+ incorrectly promoted return values in bad_inode_ops
+ This patch changes the kernel ABI.
+ See CVE-2006-5753
+ [SECURITY] Fix information leaks in setsockopt() implementations
+ See CVE-2007-1353
+ [SECURITY] limit memory consumption during write in the usblcd driver
+ See CVE-2007-3513
+ [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
+ after connect but before PPPIOCGCHAN ioctl is called upon it
+ See CVE-2007-2525
+ [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
+ index values
+ See CVE-2007-3642
+ [SECURITY] Fix out of bounds condition in dn_fib_props[]
+ See CVE-2007-2172
+ [SECURITY] Avoid seeding with the same values at boot time when a
+ system has no entropy source and fix a casting error in entropy
+ extraction that resulted in slightly less random numbers.
+ See CVE-2007-2453
+ [SECURITY] Fix remotely triggerable NULL pointer dereference
+ by sending an unknown chunk type.
+ See CVE-2007-2876
+ [SECURITY] Fix i965 secured batchbuffer usage
+ See CVE-2007-3851
+ Dependency for 30006_appletalk-length-mismatch.patch.
+ Dependency for 30022_i965-secure-batchbuffer.patch
+ [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
+ and check for out of bounds condition in index provided by userspace
+ See CVE-2007-2172
+ [SECURITY] Fix overriding the server to force signing on caused by
+ checking the wrong gloal variable.
+ See CVE-2007-3843
+ [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
+ local attackers to read sensitive kernel memory if the cpuset filesystem
+ is mounted.
+ See CVE-2007-2875
+ [SECURITY] Fix stack-based buffer overflow in the random number
+ generator
+ See CVE-2007-3105
+ [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
+ See CVE-2007-4308
+ [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
+ during ptrace single-step operations that can be used to trigger a
+ NULL-pointer dereference causing an Oops.
+ See CVE-2007-3731
+ [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
+ into address space reserved for hugetlb pages.
+ See CVE-2007-3739
+ [SECURITY] Make CIFS honor a process' umask
+ See CVE-2007-3740
+ [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
+ See CVE-2007-4573
+ [SECURITY] Write correct legacy modes to the medium on inode creation to
+ prevent incorrect permissions upon remount.
+ See CVE-2007-4849
+ [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
+ which could be used to trigger a BUG_ON() call in exit_mmap.
+ See CVE-2007-4133
+ [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
+ If userspace still has the device open it can result, the driver would
+ wait for the device to close, blocking the USB subsystem.
+ See CVE-2007-5093
+ Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the
+ fix for CVE-2007-2242. Thanks to Brian Haley for the patch.
+ (closes: Debian #440127)
+/* This is already in Xen 3.2
+ Update fix for CVE-2007-3848 with the patch accepted upstream
+ (formerly 30013_reset-pdeathsig-on-suid.patch)
+ [SECURITY] Don't leak NT bit into next task (Xen).
+ See CVE-2006-5755
+ [SECURITY][CIFS] Fix multiple overflows that can be remotely triggered
+ by a server sending a corrupt response.
+ See CVE-2007-5904
+ [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
+ check p->exit_state instead avoiding a potential system hang
+ See CVE-2007-5500
+ [SECURITY] Fix integer overflow in ieee80211 which makes it possible
+ for a malicious frame to crash a system using a driver built on top of
+ the Linux 802.11 wireless code.
+ See CVE-2007-4997
+ [SECURITY] Fix potential NULL pointer dereference which can lead to
+ a local DoS (kernel oops)
+ See CVE-2007-3104
+ [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
+ See CVE-2007-6417
+ [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
+ filesystem that would otherwise cause a system to hang (printk storm)
+ See CVE-2006-6058
+ [SECURITY] Avoid overflow in hrtimers due to large relative timeouts
+ See CVE-2007-5966
+ [SECURITY] Fix an issue where core dumping over a file that
+ already exists retains the ownership of the original file
+ See CVE-2007-6206
+ [SECURITY] Fix potential overflows in the ISDN subsystem
+ See CVE-2007-6063
+ [SECURITY][ABI Changer] Fix an issue in the alsa subsystem that allows a
+ local user to read potentially sensitive kernel memory from the proc
+ filesystem
+ See CVE-2007-4571
+ [SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer
+ for fat ioctls
+ See CVE-2007-2878
+ [SECURITY] Use the access mode flag instead of the open flag when
+ testing access mode for a directory. Modify
+ features/all/vserver/vs2.0.2.2-rc9.patch to apply on top of this
+ See CVE-2008-0001
+ [SECURITY] Fix potential isdn ioctl memory overrun
+ See CVE-2007-6151
+ [SECURITY] Fix missing access check in vmsplice.
+ See CVE-2008-0010, CVE-2008-0600
+ Fix a minor denial of service issue that allows local users to disable
+ an interrupt by causing an interrupt handler to be quickly inserted/removed.
+ This has only been shown to happen with certain serial devices so can only
+ be triggered by a user who already has additional priveleges (dialout
+ group). (closes: Debian #404815)
+ [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
+ a fault handler but do not bounds check the offset argument
+ See CVE-2008-0007
+ [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
+ to prevent a user escape (closes: #419706)
+ See CVE-2008-1294
+ [SECURITY] Fix a race in the directory notify
+ See CVE-2008-1375
+ [SECURITY] Fix an SMP race to prevent reordering of flock updates
+ and accesses to the descriptor table on close().
+ See CVE-2008-1669
+ [SECURITY] Fix remotely-triggerable memory leak in the Simple
+ Internet Transition (SIT) code used for IPv6 over IPv4 tunnels
+ See CVE-2008-2136
+ [SECURITY] Fix potential infinite loop in hrtimer_forward on
+ 64-bit systems
+ See CVE-2007-6712
+ [SECURITY] Fix local ptrace denial of service for amd64 flavor
+ kernels, bug #480390
+ See CVE-2008-1615
+ [SECURITY] Validate feature length to avoid heap overflow
+ See CVE-2008-2358
+ [SECURITY] Validate lengths in ASN.1 decoding code to avoid
+ heap overflow
+ See CVE-2008-1673
+ Change tls warning instructions to apply directly to Gentoo.