Hi
I do know this community is busy with more important things , but i am
out of ideas/search on this one.
How do i get the patch for the CVE-2004-1334 ? I have an opensource
linux 2.4.28 on my production server.
If you think this question is stupid enough , then i would eventually
write a patch for this .The trouble i have is on applying the patch
cos my understanding of GPL is pretty confusing.
Please point me to the patch for the above .
Regards
King khan
El Mon, 23 Jan 2006 23:09:49 +0530,
Syed Ahemed <[email protected]> escribi?:
> Hi
> I do know this community is busy with more important things , but i am
> out of ideas/search on this one.
> How do i get the patch for the CVE-2004-1334 ? I have an opensource
Well, 2.4.32 fixes that bug and many others security. Any reason why you
aren't using the latest version.
You can find links to the changesets in the original security advisory
from guninski (easy to find in google)
Hi,
On Mon, Jan 23, 2006 at 11:09:49PM +0530, Syed Ahemed wrote:
> Hi
> I do know this community is busy with more important things , but i am
> out of ideas/search on this one.
> How do i get the patch for the CVE-2004-1334 ? I have an opensource
> linux 2.4.28 on my production server.
I'm afraid 2.4-hf does not go that far backwards, it started at 2.4.29.
Git started even later. I've searched through http://linux.bkbits.net/
and I think that what you're looking for is here :
http://linux.bkbits.net:8080/linux-2.4/gnupatch@41b76e94BsJKm8jhVtyDat9ZM1dXXg
> If you think this question is stupid enough , then i would eventually
> write a patch for this .The trouble i have is on applying the patch
> cos my understanding of GPL is pretty confusing.
You don't have to worry, unless explicitly stated otherwise, patches
follow the same licence as the code they're for. So basically you can
apply a kernel patch from any other version to your kernel, and if you
know how to fix the bug by yourself (dangerous), that's fine too.
> Please point me to the patch for the above .
Please check above.
> Regards
> King khan
Regards,
Willy
The simple reason we do not intend to use the latest version is we run
some third party software which cant be front ported (pardon the slang
) to 2.4.29 and above.
As for the changeset by guninski , i wish to ask about a one point
source of applying all the patches for 2.4.28 .I mean shouldn't all
the kernel security patches ( atleast the ones that have become CVE's)
be a part of kernel.org .Since there isn't any what is the reason ?
I dont want to go to Gentoo for one patch , red hat for another
....and GOD knows how many sites .
Torvalds is the GOD of open source , but am i asking for too much :-)
On 1/23/06, Diego Calleja <[email protected]> wrote:
> El Mon, 23 Jan 2006 23:09:49 +0530,
> Syed Ahemed <[email protected]> escribi?:
>
> > Hi
> > I do know this community is busy with more important things , but i am
> > out of ideas/search on this one.
> > How do i get the patch for the CVE-2004-1334 ? I have an opensource
>
> Well, 2.4.32 fixes that bug and many others security. Any reason why you
> aren't using the latest version.
>
> You can find links to the changesets in the original security advisory
> from guninski (easy to find in google)
>
Syed Ahemed wrote:
> The simple reason we do not intend to use the latest version is we run
> some third party software which cant be front ported (pardon the slang
> ) to 2.4.29 and above.
> As for the changeset by guninski , i wish to ask about a one point
> source of applying all the patches for 2.4.28 .I mean shouldn't all
> the kernel security patches ( atleast the ones that have become CVE's)
> be a part of kernel.org .Since there isn't any what is the reason ?
It is "part of kernel.org", it's called 2.4.32. The kernel developers
can hardly be expected to release a patch for every vulnerability
against every possible kernel version ever released..
If you need guaranteed security patches against a specific version of
the kernel you should likely be using a distribution kernel and not a
vanilla kernel.
--
Robert Hancock Saskatoon, SK, Canada
To email, remove "nospam" from [email protected]
Home Page: http://www.roberthancock.com/
On Wed, Jan 25, 2006 at 02:26:51PM +0530, Syed Ahemed wrote:
> The simple reason we do not intend to use the latest version is we run
> some third party software which cant be front ported (pardon the slang
> ) to 2.4.29 and above.
> As for the changeset by guninski , i wish to ask about a one point
> source of applying all the patches for 2.4.28 .I mean shouldn't all
> the kernel security patches ( atleast the ones that have become CVE's)
> be a part of kernel.org .Since there isn't any what is the reason ?
It's even more work for the person doing it. Maintaining the hotfixes
from 2.4.29 already takes me some time (not much more for 4 versions
than for one, what takes the most time is merging the patches, compiling
and releasing).
> I dont want to go to Gentoo for one patch , red hat for another
> ....and GOD knows how many sites .
> Torvalds is the GOD of open source , but am i asking for too much :-)
I can propose a deal to you. You send me a pointer to the patches that
need to be applied to 2.4.28 to make it as secure as 2.4.29, and I can
include 2.4.28 in my hotfix tree, so that you'll get regular updates
for free. I already have what is needed starting from 2.4.29, you just
have to point the 2.4.28-specific patches. It would time consuming for
me to review them all, but if someone like you has some interest in it,
it should be a win-win for both of us.
Simply send me the bkbits.net URLs, I should be able to do the rest.
Regards,
Willy
Hi Willy.
Thanks a lot for the initiative , This is the brief list of
vulnerabilities i am concerned/aware about right now.Will keep looking
for patches in the days to come.
Please feel free to ask for more help , I am ready to volunteer for
the cause of
making the open source kernel secure .
PS : Let me know the approach to get subsequent updates from you ?
1]http://www.openwall.com/linux/
A] CAN-2004-1235
Linux 2.4.29-ow1 is out. Linux 2.4.29, and thus 2.4.29-ow1, adds a
number of security fixes, including to the x86/SMP page fault
handler (CAN-2005-0001) and the uselib(2) (CAN-2004-1235) race
conditions, both discovered by Paul Starzetz. The potential of these
bugs is a local root compromise. The uselib(2) bug does not affect
default builds of Linux kernels with the Openwall patch applied since
the vulnerable code is only compiled in if one explicitly enables
CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch.
2] Same as above [CAN-2004-12345 but just fixes the uselib
vulnerabilty , I dont know again which one to pick
http://kerneltrap.org/node/4503
Marcelo Tosatti [interview] released the 2.4.29-rc1 Linux kernel with
"a SATA update [and a] bunch of network driver updates". He went on to
note, "more importantly it fixes a sys_uselib() vulnerability
discovered by Paul Starzetz". He adds, "[upgrading] is recommended for
users of v2.4.x mainline, distros should be releasing their updates
real soon now." The vulnerability allows local users to gain root
privileges:
3] CAN-2004-1334
http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html
http://linux.bkbits.net:8080/linux-2.4/cset@41b76e94BsJKm8jhVtyDat9ZM1dXXg
http://linux.bkbits.net:8080/linux-2.4/cset@41b766beodCDEFPbjDRLoUUUxw4Z6w
http://linux.bkbits.net:8080/linux-2.4/cset@41b77314ZtyUzWzZFzaCRGoQc6hKcw
http://linux.bkbits.net:8080/linux-2.4/cset@41c01f2bHFmPwBYQmce6Aw0owIyqkg
4] CAN-2004-1016
https://lwn.net/Articles/115726/
Thanks
King Khan
On 1/26/06, Willy Tarreau <[email protected]> wrote:
> On Wed, Jan 25, 2006 at 02:26:51PM +0530, Syed Ahemed wrote:
> > The simple reason we do not intend to use the latest version is we run
> > some third party software which cant be front ported (pardon the slang
> > ) to 2.4.29 and above.
> > As for the changeset by guninski , i wish to ask about a one point
> > source of applying all the patches for 2.4.28 .I mean shouldn't all
> > the kernel security patches ( atleast the ones that have become CVE's)
> > be a part of kernel.org .Since there isn't any what is the reason ?
>
> It's even more work for the person doing it. Maintaining the hotfixes
> from 2.4.29 already takes me some time (not much more for 4 versions
> than for one, what takes the most time is merging the patches, compiling
> and releasing).
>
> > I dont want to go to Gentoo for one patch , red hat for another
> > ....and GOD knows how many sites .
> > Torvalds is the GOD of open source , but am i asking for too much :-)
>
> I can propose a deal to you. You send me a pointer to the patches that
> need to be applied to 2.4.28 to make it as secure as 2.4.29, and I can
> include 2.4.28 in my hotfix tree, so that you'll get regular updates
> for free. I already have what is needed starting from 2.4.29, you just
> have to point the 2.4.28-specific patches. It would time consuming for
> me to review them all, but if someone like you has some interest in it,
> it should be a win-win for both of us.
>
> Simply send me the bkbits.net URLs, I should be able to do the rest.
>
> Regards,
> Willy
>
>