On Tue, Apr 26, 2016 at 01:14:13AM +0200, Ben Hutchings wrote:
> On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote:
> > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote:
> > >
> > > This means that missing CVE fixes are quite common with stable
> > > trees?
> > Until someone report
On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote:
> On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote:
> >
> > This means that missing CVE fixes are quite common with stable
> > trees?
> Until someone reports they are missing :-)
Or they are unfixed upstream (there are a good few
On 04/21/2016 10:54 AM, Jiri Slaby wrote:
> On 04/21/2016, 03:53 PM, Sasha Levin wrote:
>> I'm not trying to replace the stable trees, I'm trying to help users who
>> don't
>> update the stable tree that often to at least receive critical fixes in
>> between
>> those updates.
>
> And that's the
[Sorry I'm cutting out lots of stuff here, I just want to understand the point
below first]
On 04/21/2016 10:54 AM, Jiri Slaby wrote:
> On 04/21/2016, 03:53 PM, Sasha Levin wrote:
>>> Pardom my ignorance, how can you actually be sure?
>>
>> I'm not, same way you can't be sure about your stable pat
On 04/21/2016, 03:53 PM, Sasha Levin wrote:
>> Pardom my ignorance, how can you actually be sure?
>
> I'm not, same way you can't be sure about your stable patch selection either.
I repeat I am not doing any selection.
Patches are not included iff they do not apply and I am not confident
enough
On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote:
> This means that missing CVE fixes are quite common with stable trees?
Until someone reports they are missing :-)
Willy
On 04/21/2016 10:13 AM, Jiri Slaby wrote:
> On 04/21/2016, 03:54 PM, Sasha Levin wrote:
>> On 04/21/2016 08:39 AM, Greg KH wrote:
>>> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
> On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
> (CVE-2016-2085) 613317b EVM: Use crypto_memneq
On Thu, Apr 21, 2016 at 04:13:07PM +0200, Jiri Slaby wrote:
> On 04/21/2016, 03:54 PM, Sasha Levin wrote:
> > On 04/21/2016 08:39 AM, Greg KH wrote:
> >> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
> On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
> (CVE-2016-2085) 613317b
On 04/21/2016 08:56 AM, Willy Tarreau wrote:
> On Wed, Apr 20, 2016 at 03:50:34PM -0400, Sasha Levin wrote:
>> Hi all,
>>
>> Updates for stable-security kernels have been released:
>>
>> - v3.12.58-security
>> - v3.14.67-security
>> - v3.18.31-security
>> - v4.1.22-security
>>
On 04/21/2016, 03:54 PM, Sasha Levin wrote:
> On 04/21/2016 08:39 AM, Greg KH wrote:
>> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
(CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons
>>
>> Does not
On Thu, Apr 21, 2016 at 10:01:29AM -0400, Sasha Levin wrote:
> > What are you "stop-gapping" then? The 7-10 days between stable
> > releases?
>
> In a perfect world where everyone has a team of kernel hackers on hand
> reviewing stable commits, verifying the resulting kernel doesn't regress
> the
On 04/21/2016 08:36 AM, Greg KH wrote:
> On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote:
>> Hey Willy,
>>
>> On 04/21/2016 03:11 AM, Willy Tarreau wrote:
>>> This illustrates exactly what I suspected would happen because that's the
>>> same trouble we all face when picking backports fo
On 04/21/2016 08:39 AM, Greg KH wrote:
> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
>> > On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
> >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest
> >> comparisons
>>> > >
>>> > > Does not exist in the CVE database/is no
On 04/21/2016 07:59 AM, Jiri Slaby wrote:
> On 04/21/2016, 01:11 PM, Sasha Levin wrote:
>>> Ok, not that bad, it is only unused code, but why are *not* these in the
>>> security tree?
>>> ipr: Fix out-of-bounds null overwrite
>>
>> Is there a particular way to exploit this that I'm missing?
>
> An
On Wed, Apr 20, 2016 at 03:50:34PM -0400, Sasha Levin wrote:
> Hi all,
>
> Updates for stable-security kernels have been released:
>
> - v3.12.58-security
> - v3.14.67-security
> - v3.18.31-security
> - v4.1.22-security
> - v4.4.8-security
> - v4.5.2-security
On Thu, Apr 21, 2016 at 09:39:18PM +0900, Greg KH wrote:
> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
> > On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
> > >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons
> > >
> > > Does not exist in the CVE database/is not
On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
> On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
> >> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons
> >
> > Does not exist in the CVE database/is not confirmed yet AFAICS.
>
> And now I am looking at the patch and I
On Thu, Apr 21, 2016 at 07:27:39AM -0400, Sasha Levin wrote:
> Hey Willy,
>
> On 04/21/2016 03:11 AM, Willy Tarreau wrote:
> > This illustrates exactly what I suspected would happen because that's the
> > same trouble we all face when picking backports for our respective trees
> > except that sinc
Sasha Levin writes:
> On 04/21/2016 02:43 AM, Jiri Slaby wrote:
>
>> Input: powermate - fix oops with malicious USB descriptors
>
> This requires physical access to the machine.
You wish.
Say you have some internal USB connected device with replacable
firmware. LTE modem, fingerprint reader, we
On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
>> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons
>
> Does not exist in the CVE database/is not confirmed yet AFAICS.
And now I am looking at the patch and I remember why I threw it away.
crypto_memneq is not in 3.12 yet and I wa
On 04/21/2016, 01:11 PM, Sasha Levin wrote:
>> Ok, not that bad, it is only unused code, but why are *not* these in the
>> security tree?
>> ipr: Fix out-of-bounds null overwrite
>
> Is there a particular way to exploit this that I'm missing?
Any (write > 100) to "/sys/.../fw_update" writes '0' o
Hey Willy,
On 04/21/2016 03:11 AM, Willy Tarreau wrote:
> This illustrates exactly what I suspected would happen because that's the
> same trouble we all face when picking backports for our respective trees
> except that since the selection barrier is much higher here, lots of
> important ones wil
On 04/21/2016 02:43 AM, Jiri Slaby wrote:
> On 04/20/2016, 09:50 PM, Sasha Levin wrote:
>> Updates for stable-security kernels have been released:
>>
>> - v3.12.58-security
>
> I suggest nobody uses that kernel.
>
> That tree does not make much sense to me. For example, what's the
> purpose
Hi Jiri,
On Thu, Apr 21, 2016 at 08:43:55AM +0200, Jiri Slaby wrote:
> On 04/20/2016, 09:50 PM, Sasha Levin wrote:
> > Updates for stable-security kernels have been released:
> >
> > - v3.12.58-security
>
> I suggest nobody uses that kernel.
>
> That tree does not make much sense to me. For
On 04/20/2016, 09:50 PM, Sasha Levin wrote:
> Updates for stable-security kernels have been released:
>
> - v3.12.58-security
I suggest nobody uses that kernel.
That tree does not make much sense to me. For example, what's the
purpose of "kernel: Provide READ_ONCE and ASSIGN_ONCE" (commit
Hi all,
Updates for stable-security kernels have been released:
- v3.12.58-security
- v3.14.67-security
- v3.18.31-security
- v4.1.22-security
- v4.4.8-security
- v4.5.2-security
They are available at:
https://git.kernel.org/cgit/linux/ke
26 matches
Mail list logo
