---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-582
2005-01-03
---------------------------------------------------------------------
Product : Fedora Core 3
Name : kernel
Version : 2.6.9
Release : 1.724_FC3
Summary : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system. The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.
A large change over previous kernels has been made. The 4G:4G memory
split patch has been dropped, and Fedora kernels now revert back to
the upstream 3G:1G kernel/userspace split.
A number of security fixes are present in this update.
CAN-2004-1016:
Paul Starzetz discovered a buffer overflow vulnerability in the "__scm_send"
function which handles the sending of UDP network packets. A wrong validity
check of the cmsghdr structure allowed a local attacker to modify kernel
memory, thus causing an endless loop (Denial of Service) or possibly even
root privilege escalation.
CAN-2004-1017:
Alan Cox reported two potential buffer overflows with the io_edgeport driver.
CAN-2004-1068:
A race condition was discovered in the handling of AF_UNIX network packets.
This reportedly allowed local users to modify arbitrary kernel memory,
facilitating privilege escalation, or possibly allowing code execution in the
context of the kernel.
CAN-2004-1137:
Paul Starzetz discovered several flaws in the IGMP handling code. This
allowed users to provoke a Denial of Service, read kernel memory, and execute
arbitrary code with root privileges. This flaw is also exploitable remotely
if an application has bound a multicast socket.
CAN-2004-1151:
Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall()
and sys32_vm86_warning() functions. This could possibly be exploited to
overwrite kernel memory with attacker-supplied code and cause root privilege
escalation.
NO-CAN-ASSIGNED:
- Fix memory leak in ip_conntrack_ftp (local DoS)
- Do not leak IP options. (local DoS)
- fix missing security_*() check in net/compat.c
- ia64/x86_64/s390 overlapping vma fix
- Fix bugs with SOCK_SEQPACKET AF_UNIX sockets
- Make sure VC resizing fits in s16.
Georgi Guninski reported a buffer overflow with vc_resize().
- Clear ebp on sysenter return.
A small information leak was found by Brad Spengler.
---------------------------------------------------------------------
* Sat Jan 01 2005 Dave Jones <davej@xxxxxxxxxx>
- Fix probing of vesafb. (#125890)
- Enable PCILynx driver. (#142173)
* Fri Dec 31 2004 Dave Jones <davej@xxxxxxxxxx>
- Drop 4g/4g patch completely.
* Tue Dec 28 2004 Dave Jones <davej@xxxxxxxxxx>
- Drop bogus ethernet slab cache.
* Thu Dec 23 2004 Dave Jones <davej@xxxxxxxxxx>
- Fix bio error propagation.
- Clear ebp on sysenter return.
- Extra debugging info on OOM kill.
- exit() race fix.
- Fix refcounting order in sd/sr, fixing cable pulls on USB storage.
- IGMP source filter fixes.
- Fix ext2/3 leak on umount.
- fix missing wakeup in ipc/sem
- Fix another tux corner case bug.
* Wed Dec 22 2004 Dave Jones <davej@xxxxxxxxxx>
- Add another ipod to the unusual usb devices list. (#142779)
* Tue Dec 21 2004 Dave Jones <davej@xxxxxxxxxx>
- Fix two silly bugs in the AGP posting fixes.
* Thu Dec 16 2004 Dave Jones <davej@xxxxxxxxxx>
- Better version of the PCI Posting fixes for agpgart.
- Add missing cache flush to the AGP code.
* Sun Dec 12 2004 Dave Jones <davej@xxxxxxxxxx>
- fix false ECHILD result from wait* with zombie group leader.
* Sat Dec 11 2004 Dave Jones <davej@xxxxxxxxxx>
- Workaround broken pci posting in AGPGART.
- Make sure VC resizing fits in s16.
* Fri Dec 10 2004 Dave Jones <davej@xxxxxxxxxx>
- Prevent block device queues from being shared in viocd. (#139018)
- Libata updates. (#132848, #138405)
- aacraid: remove aac_handle_aif (#135527)
- fix uninitialized variable in waitid(2). (#142505)
- Fix CMSG validation checks wrt. signedness.
- Fix memory leak in ip_conntrack_ftp
- [IPV4]: Do not leak IP options.
- ppc64: Align PACA buffer for hypervisor's use. (#141817)
- ppc64: Indicate that the veth link is always up. (#135402)
- ppc64: Quiesce OpenFirmware stdin device at boot. (#142009)
- SELinux: Fix avc_node_update oops. (#142353)
- Fix CCISS ioctl return code.
- Make ppc64's pci_alloc_consistent() conform to documentation. (#140047)
- Disable tiglusb module. (#142102)
- E1000 64k-alignment fix. (#140047)
- Disable tiglusb module. (#142102)
- ID updates for cciss driver.
- Fix overflows in USB Edgeport-IO driver. (#142258)
- Fix wrong TASK_SIZE for 32bit processes on x86-64. (#141737)
- Fix ext2/ext3 xattr/mbcache race. (#138951)
- Fix bug where __getblk_slow can loop forever when pages are partially mapped. (#140424)
- Add missing cache flushes in agpgart code.
* Wed Dec 08 2004 Dave Jones <davej@xxxxxxxxxx>
- Enable EDD
- Enable ETH1394. (#138497)
- Workaround E1000 post-maturely writing back to TX descriptors. (#133261)
- Fix the previous E1000 errata workaround.
- Several IDE fixes from 2.6.9-ac
- vm pageout throttling. (#133858)
- Fix Tux from oopsing. (#140918)
- Fix Tux/SELinux incompatability (#140916)
- Fix Tux/IPV6 problem. (#140916)
- ide: Fix possible oops on boot.
- Make spinlock debugging panic instead of printk.
- Update Emulex lpfc driver to 8.0.16
- Selected patches from 2.6.9-ac12
- ppc64: Fix inability to find space for TCE table (#138844)
- Fix compat fcntl F_GETLK{,64} (#141680)
- blkdev_get_blocks(): handle eof
- Another card reader for the whitelist. (#134094)
* Sat Dec 04 2004 Dave Jones <davej@xxxxxxxxxx>
- Enable both old and new megaraid drivers.
- Add yet another card reader to usb scsi whitelist. (#141367)
- Fix oops in conntrack on rmmod.
* Fri Dec 03 2004 Dave Jones <davej@xxxxxxxxxx>
- Pull in bits of -ac12
Should fix the smbfs & visor issues among others.
* Thu Dec 02 2004 Dave Jones <davej@xxxxxxxxxx>
- Drop the futex debug patch, it served its purpose.
- XFRM layer bug fixes
- ppc64: Convert to using ibm,read-slot-reset-state2 RTAS call
- ide: Make CSB6 driver support configurations.
- ide: Handle early EOF on CDs.
- Fix sx8 device naming in sysfs
- e100/e1000: return -EINVAL when setting rx-mini or rx-jumbo. (#140793)
* Wed Dec 01 2004 Dave Jones <davej@xxxxxxxxxx>
- Disable 4G/4G for i686.
- Workaround for the E1000 erratum 23 (#140047)
- Remove bogus futex warning. (#138179)
- x86_64: Fix lost edge triggered irqs on UP kernel.
- x86_64: Reenable DRI for MGA.
- Workaround E1000 post-maturely writing back to TX descriptors (#133261)
- 3c59x: add EEPROM_RESET for 3c900 Boomerang
- Fix buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()
- ext3: improves ext3's error logging when we encounter an on-disk corruption.
- ext3: improves ext3's ability to deal with corruption on-disk
- ext3: Handle double-delete of indirect blocks.
- Disable SCB2 flash driver for RHEL4. (#141142)
* Tue Nov 30 2004 Dave Jones <davej@xxxxxxxxxx>
- x86_64: add an option to configure oops stack dump
- x86[64]: display phys_proc_id only when it is initialized
- x86_64: no TIOCSBRK/TIOCCBRK in ia32 emulation
- via-rhine: references __init code during resume
- Add barriers to generic timer code to prevent race. (#128242)
- ppc64: Add PURR and version data to /proc/ppc64/lparcfg
- Prevent xtime value becoming incorrect.
- scsi: return full SCSI status byte in SG_IO
- Fix show_trace() in irq context with CONFIG_4KSTACKS
- Adjust alignment of pagevec structure.
- md: make sure md always uses rdev_dec_pending properly.
- Make proc_pid_status not dereference dead task structs.
- sg: Fix oops of sg_cmd_done and sg_release race (#140648)
- fix bad segment coalescing in blk_recalc_rq_segments()
- fix missing security_*() check in net/compat.c
- ia64/x86_64/s390 overlapping vma fix
- Update Emulex lpfc to 8.0.15
* Mon Nov 29 2004 Dave Jones <davej@xxxxxxxxxx>
- Add another card reader to whitelist. (#141022)
- Fix possible hang in do_wait() (#140042)
- Fix ps showing wrong ppid. (#132030)
- Print advice to use -hugemem if >=16GB of memory is detected.
- Enable ICOM serial driver. (#136150)
- Enable acpi hotplug driver for IA64.
- SCSI: fix USB forced remove oops.
- ia64: add missing sn2 timer mask in time_interpolator code. (#140580)
- ia64: Fix hang reading /proc/pal/cpu0/tr_info (#139571)
- ia64: bump number of UARTS. (#139100)
- Fix ACPI debug level (#141292)
- Make EDD runtime configurable, and reenable.
- ppc64: IBM VSCSI driver race fix. (#138725)
- ppc64: Ensure PPC64 interrupts don't end up hard-disabled. (#139020, #131590)
- ppc64: Yet more sigsuspend/singlestep fixing. (#140102, #137931)
- x86-64: Implement ACPI based reset mechanism. (#139104)
- Backport 2.6.10rc sysfs changes needed for IBM hotplug driver. (#140372)
- Update Emulex lpfc driver to v8.0.14
- Optimize away the unconditional write to debug registers on signal delivery path.
- Fix up scsi_test_unit_ready() to work correctly with CD-ROMs.
- md: fix two little bugs in raid10
- Remove incorrect ELF check from module loading. (#140954)
- Plug leaks in error paths of aic driver.
- Add refcounting to scsi command allocation.
- Taint oopses on machine checks, bad_page()'s calls and forced rmmod's.
- Share Intel cache descriptors between x86 & x86-64.
- rx checksum support for gige nForce ethernet
- vm: vm_dirty_ratio initialisation fix
* Sun Nov 28 2004 Dave Jones <davej@xxxxxxxxxx>
- Move 4g/4g kernel into -hugemem.
* Sat Nov 27 2004 Dave Jones <davej@xxxxxxxxxx>
- Recognise Shuttle SN85G4 card reader. (#139163)
* Tue Nov 23 2004 Dave Jones <davej@xxxxxxxxxx>
- Add futex debug patch.
* Mon Nov 22 2004 Dave Jones <davej@xxxxxxxxxx>
- Update -ac patch to 2.6.9-ac11
- make tulip_stop_rxtx() wait for DMA to fully stop. (#138240)
- ACPI: Make LEqual less strict about operand types matching.
- scsi: avoid extra 'put' on devices in __scsi_iterate_device() (#138135)
- Fix bugs with SOCK_SEQPACKET AF_UNIX sockets
- Reenable token ring drivers. (#119345)
- SELinux: Map Unix seqpacket sockets to appropriate security class
- SELinux: destroy avtab node cache in policy load error path.
- AF_UNIX: Serialize dgram read using semaphore just like stream.
- lockd: NLM blocks locks don't sleep
- NFS lock recovery fixes
- Add more MODULE_VERSION tags (#136403)
- Update qlogic driver to 2.6.10rc2 level.
- cciss: fixes for clustering
- ieee802.11 update.
- ipw2100: update to ver 1.0.0
- ipw2200: update to ver 1.0.0
- Enable promisc mode on ipw2100
- 3c59x: reload EEPROM values at rmmod for needy cards
- ppc64: Prevent sigsuspend stomping on r4 and r5
- ppc64: Alternative single-step fix.
- fix for recursive netdump oops on x86_64
- ia64: Fix IRQ routing fix when booted with maxcpus= (#138236)
- ia64: search the iommu for the correct size
- Deal with fraglists correctly on ipv4/ipv6 output
- Various statm accounting fixes (#139447)
- Reenable CMM /proc interface for s390 (#137397)
* Fri Nov 19 2004 Dave Jones <davej@xxxxxxxxxx>
- e100: fix improper enabling of interrupts. (#139706)
- autofs4: allow map update recognition
- Various TCP fixes from 2.6.10rc
- Various netlink fixes from 2.6.10rc
- [IPV4]: Do not try to unhash null-netdev nexthops.
- ppc64: Make NUMA map CPU->node before bringing up the CPU (#128063)
- ppc64: sched domains / cpu hotplug cleanup. (#128063)
- ppc64: Add a CPU_DOWN_PREPARE hotplug CPU notifier (#128063)
- ppc64: Register a cpu hotplug notifier to reinitialize the
scheduler domains hierarchy (#128063)
- ppc64: Introduce CPU_DOWN_FAILED notifier (#128063)
- ppc64: Make arch_destroy_sched_domains() conditional (#128063)
- ppc64: Use CPU_DOWN_FAILED notifier in the sched-domains hotplug code (#128063)
- Various updates to the SCSI midlayer from 2.6.10rc.
- vlan_dev: return 0 on vlan_dev_change_mtu success. (#139760)
- Update Emulex lpfc driver to v8013
- Fix problem with b44 driver and 4g/4g patch. (#118165)
- Prevent oops when loading aic79xx on machine without hardware. (#125982)
- Use correct spinlock functions in token ring net code. (#135462)
- scsi: Add reset ioctl capability to ULDs
- scsi: update ips driver to 7.10.18
- Reenable ACPI hotplug driver. (#139976, #140130, #132691)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
01aa0e2568d7804a869dc8468a5b1605 SRPMS/kernel-2.6.9-1.724_FC3.src.rpm
47776539f4ccb70a3d2b0d641e24cebf x86_64/kernel-2.6.9-1.724_FC3.x86_64.rpm
0188ac33f1a39b81fc94947c3d7be55d x86_64/kernel-smp-2.6.9-1.724_FC3.x86_64.rpm
8ee1e74c68022d98268f8cd809f9751d x86_64/debug/kernel-debuginfo-2.6.9-1.724_FC3.x86_64.rpm
b2c333acd8dc04c099fdf5ec8a4784b5 x86_64/kernel-doc-2.6.9-1.724_FC3.noarch.rpm
df2397cdd4380ecc7874df9489b48065 i386/kernel-2.6.9-1.724_FC3.i586.rpm
e5c97e06c0dbf0efe75ffe664e46c26e i386/kernel-smp-2.6.9-1.724_FC3.i586.rpm
f6cb0feb9b9caff301dfd3a48fba821c i386/debug/kernel-debuginfo-2.6.9-1.724_FC3.i586.rpm
c90b493037812e5b6f46e67256c2db43 i386/kernel-2.6.9-1.724_FC3.i686.rpm
cd699aa17ba07e66f062fad6f6b586df i386/kernel-smp-2.6.9-1.724_FC3.i686.rpm
b6a14462b7daaf0400fe6c6fa9a4d808 i386/debug/kernel-debuginfo-2.6.9-1.724_FC3.i686.rpm
b2c333acd8dc04c099fdf5ec8a4784b5 i386/kernel-doc-2.6.9-1.724_FC3.noarch.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------
