Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 20 Jan 2010 07:03:09 -0800
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: Josh Bressers <bressers@...hat.com>,
	"Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request - kernel: untangle the do_mremap()
	mess

On Wed, Jan 20, 2010 at 12:41:04AM -0500, Steven M. Christey wrote:
>
> On Wed, 20 Jan 2010, Eugene Teo wrote:
>
>> Anyway, Al summarised the mess here:
>> http://marc.info/?l=linux-arch&m=126004438008670&w=2
>>
>> And the pile of upstream commits were meant to address the problems 
>> described AFAIK. It will probably make more sense to associate all these 
>> related commits to just one CVE name.
>
> I defer to Josh on this, but in a series of patches that is referred to as 
> "mremap/mmap mess" in some linux-kernel subject lines, for which a 
> specialist like Eugene is not entirely certain about, in which some of the 
> patches are assembly-level changes for individual architectures, and where 
> few of the patch diffs make it clear what the underlying problem was - we 
> could collectively spend a week of labor trying to figure everything out 
> from a purist CVE perspective, or anchor on a single series of commits that 
> are hopefully attached to a single kernel RC or minor version release.  I 
> suspect the latter would be more helpful to the general CVE consumer 
> community, so my recommendation is for a single CVE, assuming that all of 
> these patches make it into a single kernel update.

They are all in the 2.6.32.4 release.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ