summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'tags/2.6.18-11/00000_README')
-rw-r--r--tags/2.6.18-11/00000_README334
1 files changed, 334 insertions, 0 deletions
diff --git a/tags/2.6.18-11/00000_README b/tags/2.6.18-11/00000_README
new file mode 100644
index 0000000..7ee89f7
--- /dev/null
+++ b/tags/2.6.18-11/00000_README
@@ -0,0 +1,334 @@
+Xen Patches README
+------------------
+
+These patches are intended to be stacked on top of genpatches-base.
+
+Many of the patches included here are swiped from various sources which
+use their own four digit patch numbering scheme, so we are stuck with five
+digits to indiciate the source for easier tracking and re-syncing.
+
+Numbering
+---------
+
+0xxxx Gentoo, not related to Xen. (in case we pull something from extras)
+1xxxx XenSource, upstream Xen patch for 2.6.18
+2xxxx Redhat, we use their Xen patch for >=2.6.20
+3xxxx Debian, we use their security fixes for 2.6.18
+5xxxx Gentoo, Xen and other fixes for Redhat and/or Debian patches.
+
+Patches
+-------
+
+10001_xen-3.2.0.patch
+ Upstream 3.2.0 patch
+
+30001_nfnetlink_log-null-deref.patch
+ [SECURITY] Fix remotely exploitable NULL pointer dereference in
+ nfulnl_recv_config()
+ See CVE-2007-1496
+
+30002_nf_conntrack-set-nfctinfo.patch
+ [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
+ which allows remote attackers to bypass certain rulesets
+ See CVE-2007-1497
+
+30003_netlink-infinite-recursion.patch
+ [SECURITY] Fix infinite recursion bug in netlink
+ See CVE-2007-1861
+
+30004_nl_fib_lookup-oops.patch
+ Add fix for oops bug added by previous patch
+
+30005_core-dump-unreadable-PT_INTERP.patch
+ [SECURITY] Fix a vulnerability that allows local users to read
+ otherwise unreadable (but executable) files by triggering a core dump.
+ See CVE-2007-0958
+
+30006_appletalk-length-mismatch.patch
+ [SECURITY] Fix a remote DoS (crash) in appletalk
+ Depends upon bugfix/appletalk-endianness-annotations.patch
+ See CVE-2007-1357
+
+30007_cm4040-buffer-overflow.patch
+ [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver
+ See CVE-2007-0005
+
+30008_ipv6_fl_socklist-no-share.patch
+ [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+ ipv6_fl_socklist between the listening socket and the socket created
+ for connection.
+ See CVE-2007-1592
+
+30009_keys-serial-num-collision.patch
+ [SECURITY] Fix the key serial number collision avoidance code in
+ key_alloc_serial() that could lead to a local DoS (oops).
+ (closes: #398470)
+ See CVE-2007-0006
+
+30010_ipv6_getsockopt_sticky-null-opt.patch
+ [SECURITY] Fix kernel memory leak vulnerability in
+ ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
+ See CVE-2007-1000
+
+30011_ipv6_setsockopt-NULL-deref.patch
+ [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
+ to a local DoS (oops).
+ See CVE-2007-1388
+
+30012_ipv6-disallow-RH0-by-default.patch
+ [SECURITY] Avoid a remote DoS (network amplification between two routers)
+ by disabling type0 IPv6 route headers by default. Can be re-enabled via
+ a sysctl interface. Thanks to Vlad Yasevich for porting help.
+
+30013_listxattr-mem-corruption.patch
+ [SECURITY] Fix userspace corruption vulnerability caused by
+ incorrectly promoted return values in bad_inode_ops
+ This patch changes the kernel ABI.
+ See CVE-2006-5753
+
+30014_bluetooth-l2cap-hci-info-leaks.patch
+ [SECURITY] Fix information leaks in setsockopt() implementations
+ See CVE-2007-1353
+
+30015_usblcd-limit-memory-consumption.patch
+ [SECURITY] limit memory consumption during write in the usblcd driver
+ See CVE-2007-3513
+
+30016_pppoe-socket-release-mem-leak.patch
+ [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
+ after connect but before PPPIOCGCHAN ioctl is called upon it
+ See CVE-2007-2525
+
+30017_nf_conntrack_h323-bounds-checking.patch
+ [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
+ index values
+ See CVE-2007-3642
+
+30018_dn_fib-out-of-bounds.patch
+ [SECURITY] Fix out of bounds condition in dn_fib_props[]
+ See CVE-2007-2172
+
+30019_random-fix-seeding-with-zero-entropy.patch,
+30020_random-fix-error-in-entropy-extraction.patch
+ [SECURITY] Avoid seeding with the same values at boot time when a
+ system has no entropy source and fix a casting error in entropy
+ extraction that resulted in slightly less random numbers.
+ See CVE-2007-2453
+
+30021_nf_conntrack_sctp-null-deref.patch
+ [SECURITY] Fix remotely triggerable NULL pointer dereference
+ by sending an unknown chunk type.
+ See CVE-2007-2876
+
+30022_i965-secure-batchbuffer.patch
+ [SECURITY] Fix i965 secured batchbuffer usage
+ See CVE-2007-3851
+
+30023_appletalk-endianness-annotations.patch
+ Dependency for 30006_appletalk-length-mismatch.patch.
+
+30024_drm-i965.patch
+ Dependency for 30022_i965-secure-batchbuffer.patch
+
+30025_ipv4-fib_props-out-of-bounds.patch
+ [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
+ and check for out of bounds condition in index provided by userspace
+ See CVE-2007-2172
+
+30026_cifs-fix-sign-settings.patch
+ [SECURITY] Fix overriding the server to force signing on caused by
+ checking the wrong gloal variable.
+ See CVE-2007-3843
+
+30027_cpuset_tasks-underflow.patch
+ [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
+ local attackers to read sensitive kernel memory if the cpuset filesystem
+ is mounted.
+ See CVE-2007-2875
+
+30028_random-bound-check-ordering.patch
+ [SECURITY] Fix stack-based buffer overflow in the random number
+ generator
+ See CVE-2007-3105
+
+30030_aacraid-ioctl-perm-check.patch
+ [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
+ See CVE-2007-4308
+
+30031_ptrace-handle-bogus-selector.patch,
+30032_fixup-trace_irq-breakage.patch
+ [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
+ during ptrace single-step operations that can be used to trigger a
+ NULL-pointer dereference causing an Oops.
+ See CVE-2007-3731
+
+30033_prevent-stack-growth-into-hugetlb-region.patch
+ [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
+ into address space reserved for hugetlb pages.
+ See CVE-2007-3739
+
+30034_cifs-honor-umask.patch
+ [SECURITY] Make CIFS honor a process' umask
+ See CVE-2007-3740
+
+30035_amd64-zero-extend-32bit-ptrace.patch
+ [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
+ See CVE-2007-4573
+
+30036_jffs2-ACL-vs-mode-handling.patch
+ [SECURITY] Write correct legacy modes to the medium on inode creation to
+ prevent incorrect permissions upon remount.
+ See CVE-2007-4849
+
+30039_hugetlb-prio_tree-unit-fix.patch
+ [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
+ which could be used to trigger a BUG_ON() call in exit_mmap.
+ See CVE-2007-4133
+
+30040_usb-pwc-disconnect-block.patch
+ [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
+ If userspace still has the device open it can result, the driver would
+ wait for the device to close, blocking the USB subsystem.
+ See CVE-2007-5093
+
+30041_ipv6-disallow-RH0-by-default-2.patch
+ Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the
+ fix for CVE-2007-2242. Thanks to Brian Haley for the patch.
+ (closes: Debian #440127)
+
+/* This is already in Xen 3.2
+30042_reset-pdeathsig-on-suid-upstream.patch
+ Update fix for CVE-2007-3848 with the patch accepted upstream
+ (formerly 30013_reset-pdeathsig-on-suid.patch)
+*/
+
+30043_don-t-leak-nt-bit-into-next-task-xen.patch
+ [SECURITY] Don't leak NT bit into next task (Xen).
+ See CVE-2006-5755
+
+30044_cifs-better-failed-mount-errors.patch,
+30045_cifs-corrupt-server-response-overflow.patch
+ [SECURITY][CIFS] Fix multiple overflows that can be remotely triggered
+ by a server sending a corrupt response.
+ See CVE-2007-5904
+
+30046_wait_task_stopped-hang.patch
+ [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
+ check p->exit_state instead avoiding a potential system hang
+ See CVE-2007-5500
+
+30047_ieee80211-underflow.patch
+ [SECURITY] Fix integer overflow in ieee80211 which makes it possible
+ for a malicious frame to crash a system using a driver built on top of
+ the Linux 802.11 wireless code.
+ See CVE-2007-4997
+
+30048_sysfs_readdir-NULL-deref-1.patch,
+30049_sysfs_readdir-NULL-deref-2.patch,
+30050_sysfs-fix-condition-check.patch
+ [SECURITY] Fix potential NULL pointer dereference which can lead to
+ a local DoS (kernel oops)
+ See CVE-2007-3104
+
+30051_tmpfs-restore-clear_highpage.patch
+ [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
+ See CVE-2007-6417
+
+30052_minixfs-printk-hang.patch
+ [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
+ filesystem that would otherwise cause a system to hang (printk storm)
+ See CVE-2006-6058
+
+30053_hrtimer-large-relative-timeouts-overflow.patch
+ [SECURITY] Avoid overflow in hrtimers due to large relative timeouts
+ See CVE-2007-5966
+
+30054_coredump-only-to-same-uid.patch
+ [SECURITY] Fix an issue where core dumping over a file that
+ already exists retains the ownership of the original file
+ See CVE-2007-6206
+
+30055_isdn-net-overflow.patch
+ [SECURITY] Fix potential overflows in the ISDN subsystem
+ See CVE-2007-6063
+
+30056_proc-snd-page-alloc-mem-leak.patch
+ [SECURITY][ABI Changer] Fix an issue in the alsa subsystem that allows a
+ local user to read potentially sensitive kernel memory from the proc
+ filesystem
+ See CVE-2007-4571
+
+30057_fat-move-ioctl-compat-code.patch
+30058_bugfix/fat-fix-compat-ioctls.patch
+ [SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer
+ for fat ioctls
+ See CVE-2007-2878
+
+30059_vfs-use-access-mode-flag.patch
+ [SECURITY] Use the access mode flag instead of the open flag when
+ testing access mode for a directory. Modify
+ features/all/vserver/vs2.0.2.2-rc9.patch to apply on top of this
+ See CVE-2008-0001
+
+30060_i4l-isdn_ioctl-mem-overrun.patch
+ [SECURITY] Fix potential isdn ioctl memory overrun
+ See CVE-2007-6151
+
+30061_vmsplice-security.patch
+ [SECURITY] Fix missing access check in vmsplice.
+ See CVE-2008-0010, CVE-2008-0600
+
+30062_clear-spurious-irq.patch
+ Fix a minor denial of service issue that allows local users to disable
+ an interrupt by causing an interrupt handler to be quickly inserted/removed.
+ This has only been shown to happen with certain serial devices so can only
+ be triggered by a user who already has additional priveleges (dialout
+ group). (closes: Debian #404815)
+
+30063_mmap-VM_DONTEXPAND.patch
+ [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
+ a fault handler but do not bounds check the offset argument
+ See CVE-2008-0007
+
+30064_RLIMIT_CPU-earlier-checking.patch
+ [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
+ to prevent a user escape (closes: #419706)
+ See CVE-2008-1294
+
+30065_dnotify-race.patch
+ [SECURITY] Fix a race in the directory notify
+ See CVE-2008-1375
+
+30066_fcntl_setlk-close-race.patch
+ [SECURITY] Fix an SMP race to prevent reordering of flock updates
+ and accesses to the descriptor table on close().
+ See CVE-2008-1669
+
+30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
+ [SECURITY] Fix remotely-triggerable memory leak in the Simple
+ Internet Transition (SIT) code used for IPv6 over IPv4 tunnels
+ See CVE-2008-2136
+
+30068_hrtimer-prevent-overrun.patch
+30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
+ [SECURITY] Fix potential infinite loop in hrtimer_forward on
+ 64-bit systems
+ See CVE-2007-6712
+
+30070_amd64-cs-corruption.patch
+ [SECURITY] Fix local ptrace denial of service for amd64 flavor
+ kernels, bug #480390
+ See CVE-2008-1615
+
+30071_dccp-feature-length-check.patch
+ [SECURITY] Validate feature length to avoid heap overflow
+ See CVE-2008-2358
+
+30072_asn1-ber-decoding-checks.patch
+ [SECURITY] Validate lengths in ASN.1 decoding code to avoid
+ heap overflow
+ See CVE-2008-1673
+
+
+50009_gentooify-tls-warning.patch
+ Change tls warning instructions to apply directly to Gentoo.