[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[SECURITY] Fedora Core 2 Update: kernel-2.6.6-1.427



---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-137
2004-06-11
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : kernel
Version     : 2.6.6                      
Release     : 1.427                  
Summary     : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system:  memory allocation, process allocation, device
input and output, etc.

---------------------------------------------------------------------
Update Information:

An updated kernel is available that brings the kernel to the 2.6.7-rc3 base
level. This new kernel provides a significant number of bug fixes and
improvements for USB, the keyboard/mouse subsystem and the VM. This kernel
also fixes the high profile bugs about not working on VIA C3 processors
(#120685) and Asus P4P800 motherboards (#121819). In this new kernel
firewire no longer oopses during boot and has been re-enabled, however we
consider firewire support still somewhat experimental and recommend
extensive testing before using firewire in a production environment. 

This kernel also contains the enhancements series from Al Viro that enables
the Sparse source code checking tool to check for a certain class kernel
bugs. This class of bugs can lead to privilege escalation vulnerabilities,
and fixes for all such bugs that were found with Sparse and these patches
are included in this erratum.

NX feature
----------

In addition to these bugfixes, the x86 kernel-smp subpackage now also
contains support for the 'NX' feature that is present in current AMD
Athlon64/Opteron processors and for which support has been announced by
Intel, VIA and Transmeta for future processors.

A significant percentage of security exploits are made possible by abusing
buffer overflow programming defects in application. With an executable stack
or heap, an attacker could use the buffer overflow to put hostile program
code on the stack/heap and consequently trick the program into executing
this code. The 'NX' feature adds a "don't execute" bit which lets the kernel
disallow executing code from marked areas such as the stack and the heap.

http://www.uwsg.indiana.edu/hypermail/linux/kernel/0406.0/0497.html
describes the patch that provides this feature in more detail.

Fedora Core 1 and Fedora Core 2 already contain the Execshield functionality
in both the regular and smp kernels. By using the segmentation feature of
x86 processors, Execshield can effectively make the stack and certain other
regions of memory non-executable on all existing x86 processors.  On
processors with the 'NX' feature, the kernel can make a finer grained
protection decision about which regions of the application memory need to
have execution disabled. While Execshield provides the basic no-execute
protection for the stack and (for most applications) the heap, the 'NX'
feature allows for a more enhanced safety net against buffer overflow
attacks in complex applications such as the X server. The 'NX' feature is
also used to protect against buffer overflow attacks to the kernel itself.

Having a non-executable stack/heap can help prevent the most common security
exploits. Other Execshield features such as PIE (Position Independent
Executable) randomization supplement and increase this protection (either
provided via the segment limits or via the 'NX' feature) with the overall
goal of making it much harder to exploit security flaws.



---------------------------------------------------------------------
* Fri Jun 11 2004 Arjan van de Ven

- disable mlock-uses-rlimit patch, it has a security hole and needs more thought
- revert airo driver to the FC2 one since the new one breaks

* Wed Jun 09 2004 Dave Jones <davej redhat com>

- Update to 2.6.7rc3

* Sat Jun 05 2004 Arjan van de Ven <arjanv redhat com>

- fix the mlock-uses-rlimit patch

* Thu Jun 03 2004 David Woodhouse <dwmw2 redhat com>

- Add ppc64 (Mac G5)

* Thu Jun 03 2004 Arjan van de Ven <arjanv redhat com>

- add a forward port of the mlock-uses-rlimit patch
- add NX support for x86 (Intel, Ingo)

* Wed Jun 02 2004 Arjan van de Ven <arjanv redhat com>

- refresh ext3 reservation patch

* Mon May 31 2004 Arjan van de Ven <arjanv redhat com>

- 2.6.7-rc2

* Fri May 28 2004 Pete Zaitcev <zaitcev redhat com>

- Fix qeth and zfcp (s390 drivers): align qib by 256, embedded into qdio_irq.

* Fri May 28 2004 Dave Jones <davej redhat com>

- Fix the crashes on boot on Asus P4P800 boards. (#121819)

* Thu May 27 2004 Dave Jones <davej redhat com>

- Lots more updates to the SCSI whitelist for various
  USB card readers. (#112778, among others..)

* Thu May 27 2004 Arjan van de Ven <arjanv redhat com>

- back out ehci suspend/resume patch, it breaks
- add fix for 3c59x-meets-kudzu bug from Alan

* Wed May 26 2004 Arjan van de Ven <arjanv redhat com>

- try improving suspend/resume by restoring more PCI state
- 2.6.7-rc1-bk1

* Tue May 25 2004 Dave Jones <davej redhat com>

- Add yet another multi-card reader to the whitelist (#85851)

* Mon May 24 2004 Dave Jones <davej redhat com>

- Add another multi-card reader to the whitelist (#124048)

* Thu May 20 2004 Arjan van de Ven <arjanv redhat com>

- put firewire race fix in (datacorruptor)

* Wed May 19 2004 Dave Jones <davej redhat com>

- Fix typo in ibmtr driver preventing compile (#123391)

* Tue May 18 2004 Arjan van de Ven <arjanv redhat com>

- update to 2.6.6-bk3
- made kernel-source and kernel-doc noarch.rpm's since they are not
  architecture specific.


---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

337c999f7dc1dccf8bda806ab94aaad0  SRPMS/kernel-2.6.6-1.427.src.rpm
409e0582df22abbbae031a1593093285  i386/kernel-2.6.6-1.427.i586.rpm
8a009651ce46a265f7705d31f02fcb6e  i386/kernel-smp-2.6.6-1.427.i586.rpm
f8a2f4edc790cca69829ee71898d0095  i386/debug/kernel-debuginfo-2.6.6-1.427.i586.rpm
db2fad6f1bc995fca31f1558aafe8d8a  i386/kernel-2.6.6-1.427.i686.rpm
d34f944530365d54e95c1a762a103d7a  i386/kernel-smp-2.6.6-1.427.i686.rpm
de203c8bdebd186192a0fb12a12eaf5a  i386/debug/kernel-debuginfo-2.6.6-1.427.i686.rpm
d3d3605bc24d574cd0813edc0be8d65c  i386/kernel-sourcecode-2.6.6-1.427.noarch.rpm
826a07dcc5c5c8f60bc169f67780c2dc  i386/kernel-doc-2.6.6-1.427.noarch.rpm
05fa87f6bb8d2e2d2c0b8f13de180feb  x86_64/kernel-2.6.6-1.427.x86_64.rpm
eab86618eb29a90b4d1ca3810485b117  x86_64/kernel-smp-2.6.6-1.427.x86_64.rpm
aca6a3b39034e44116bc752ad5e15349  x86_64/debug/kernel-debuginfo-2.6.6-1.427.x86_64.rpm
d3d3605bc24d574cd0813edc0be8d65c  x86_64/kernel-sourcecode-2.6.6-1.427.noarch.rpm
826a07dcc5c5c8f60bc169f67780c2dc  x86_64/kernel-doc-2.6.6-1.427.noarch.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
---------------------------------------------------------------------

Attachment: pgp00004.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]