| |||||||||||||
|
| |||||||||||||
Stable kernels 2.6.31.6 and 2.6.27.39 released
The stable team has announced the release of 2.6.31.6 and
2.6.27.39. Both contain fixes all over the
tree, with 99 patches for 2.6.31 and 30 patches for 2.6.27. In both cases,
the recent null pointer
vulnerability in the kernel pipe code has been fixed, so users of these
kernels are strongly encouraged to upgrade.
(Log in to post comments)
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 2:01 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
why isn't anything whatsoever mentioned in the commit about the security impact of CVE-2009-3547 (not to mention several others)?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 2:48 UTC (Tue) by foom (subscriber, #14868) [Link]
It's in the release announcement, as long as you know how to read lkmlish: "very strongly
encouraged to upgrade". Your mistake was reading it as if it was english. :)
But seriously: I think we've had this thread already. Nothing new here...
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 3:54 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
They mentioned several CVEs; the omission of that one is likely an oversight. Really, you should stop assuming bad faith on the part of the kernel devs.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 22:16 UTC (Tue) by PaXTeam (subscriber, #24616) [Link]
> They mentioned several CVEs;
you mean all two of them and the least relevant ones at that? ;)
> the omission of that one is likely an oversight.
you mean after exploits have been out in the public, hit /. and others. do you realize that this bug is one of the most serious ones in a long time, affecting probably a decade's worth of kernels?
> Really, you should stop assuming bad faith on the part of the kernel devs.
who said i was assuming anything? the facts speak for themselves and i will continue to point them out whether you like it or not.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 23:05 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
What do you want them to do, then?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 14:58 UTC (Wed) by drag (subscriber, #31333) [Link]
Probably mention serious security fixes better so that people like I don't
have to wait for PaXTeam to point out issues like this one. :)
I mean; wouldn't it be nice to be able to trust what the kernel releases
Updated 2.4 released as well Posted Nov 10, 2009 2:07 UTC (Tue) by JohnLenz (subscriber, #42089) [Link] 2.4.37.7 was also just released and contains a fix to similar pipe code which also had a null pointer dereference vulnerability.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 6:56 UTC (Tue) by lkundrak (subscriber, #43452) [Link]
So, are NULL dereferences in kernel still considered vulnerabilities? I may sound uninformed, but I thought most of them are mitigated either by SELinux policies or vm.mmap_min_addr syctl.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 7:28 UTC (Tue) by MisterIO (subscriber, #36192) [Link]
Many distributions leave the possibility to map address 0, mostly because of Wine, it seems.
About SELinux, actually at least one time it seems to have helped the attacker.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 10:25 UTC (Tue) by lkundrak (subscriber, #43452) [Link]
That SELinux problem is already considered fixed isn't it?
Looking at any reasonably modern linux distribution reveals that they exchanged win16 application support for sane mmap_min_addr setting, therefore leaving most potential security problems in past (unlikely(were a function called from pointer gotten from NULL pointer to a structure that's > 4096 bytes at least Fedora would still be vulnerable without SELinux)).
And when it comes to older distributions the issue got so much publicity I can't really believe there's anyone with untrusted local users that would still not have shielded himself from kernel NULL dereferences via known techniques.
I'd bet that there are more such issues coming, is it really that necessary to inflate the meaning of "security vulnerability" term?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 12:25 UTC (Tue) by spender (subscriber, #23067) [Link]
The SELinux problem was fixed upstream and in
Fedora when I released the last exploit. Seven public exploits however still was not enough for RHEL to fix their vulnerable default configuration. It took the release of the pipe exploit for them to finally fix it in their kernels last Friday.
As for whether people still run with
So certainly, they are still security vulnerabilities,
-Brad
-Brad
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 13:00 UTC (Tue) by spender (subscriber, #23067) [Link]
BTW, you need to throw out your entire conception of "untrusted local users." If you run a webserver with php scripts on it and no "untrusted local users" -- there's a good chance at some point the machine will have one (or more), via webapp exploits. The mindset of "I don't have any untrusted local users on this machine so I don't need to upgrade" is what gets people bit by these vulnerabilities.
And just to emphasize an earlier point, if mmap_min_addr and SELinux were written correctly back in 2007 when mmap_min_addr was introduced in response to my first exploit, the bug class would largely be a non-issue right now.
But mmap_min_addr has had 5 or so bypasses since its inclusion, and the SELinux problem was only just fixed in RHEL5 last Friday (as I mentioned already, it was fixed two months or so ago in Fedora) so it's really almost the case that anyone who doesn't have *very* recent _kernels_ is vulnerable.
If we were to talk about "reasonably modern" Linux distributions, RHEL 5.3 is vuln out of the box, RHEL 5.4 is vuln out of the box, Ubuntu 9.04 is vuln out of the box, FC11 is vuln out of the box, that SuSE 10 SP3 just released last month is vuln out of the box.
Ubuntu 9.10 is fine (modulo any toggling from wine), FC12 is fine (I think), and SuSE 11 is fine.
-Brad
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 15:37 UTC (Tue) by nix (subscriber, #2304) [Link]
Technically the people with webservers with php scripts on don't have untrusted local users, they have *malicious* local users that they don't even know are there (as soon as an attacker gets in at all). This is of course worse, because as you suggest they'll often have thought 'ooh, I trust all the local users', which is poppycock.
It's like a filter making sure that everyone who manages to become a local user has larceny in his heart...
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:00 UTC (Tue) by nye (guest, #51576) [Link]
>Many distributions leave the possibility to map address 0, mostly because of Wine, it seems.
Which (assuming it's true), is fairly silly. Wine only needs it to run DOS binaries (apparently it used to need it to run some or all win16 binaries, but it hasn't done for years), but it's always been really bad at that anyway, and better methods exist (notably Dosbox).
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:16 UTC (Tue) by epa (subscriber, #39769) [Link]
Does dosemu need to map address 0?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 12:43 UTC (Tue) by nye (guest, #51576) [Link]
I would imagine so, though I've not used it in eight or nine years so couldn't really say...
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 13:01 UTC (Tue) by Cyberax (subscriber, #52523) [Link]
Dosemu needs it, dosbox doesn't.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 16:24 UTC (Tue) by meuh (subscriber, #22042) [Link]
Even for win16 binaries, Wine doesn't need page 0 anymore.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 10:41 UTC (Wed) by nye (guest, #51576) [Link]
That's what I said :P.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:15 UTC (Tue) by epa (subscriber, #39769) [Link]
I suggest that it should be considered a vulnerability if it's a vulnerability in any possible configuration. Consider a bug in some obscure device driver that about three people use. If it's exploitable, it should count as a vulnerability, though perhaps not the most serious one. The number of people who run with SELinux turned off is greater than three.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 10:59 UTC (Tue) by modernjazz (subscriber, #4185) [Link]
I haven't kept careful track, but to me it seems that the number of
patches and/or important issues in 2.6.31 exceeds that for recent releases. Is this true? If so, are there any lessons to be learned? Or is it merely the case that you're (by mathematical necessity) going to have some releases with more than your average # of problems?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 11:44 UTC (Tue) by patrick_g (subscriber, #44470) [Link] >>> it seems that the number of patches and/or important issues in 2.6.31 exceeds that for recent releases. Is this true?Extract of the Debian kernel meeting : "Linux 2.6.31 has numerous issues and does not look good as a candidate for long term support or use as a release kernel. There was general agreement on this, the main issues being the number of regressions it shipped with and its generally poor state". Link : http://lists.debian.org/debian-kernel/2009/10/msg00613.html
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 13:34 UTC (Tue) by qg6te2 (guest, #52587) [Link] Linux 2.6.31 has numerous issues and does not look good as a candidate for long term support or use as a release kernel. There was general agreement on this, the main issues being the number of regressions it shipped with and its generally poor stateHuh? So all the recent fix releases, such as 2.6.31.6, mean nothing? Can I have what they're smoking? Given that kernel developers don't seem to care whether the number of regressions reaches zero before making a new release, the statement from Debian's kernel meeting implies that the (still unreleased) 2.6.32 kernel is unuseable by default. Earth shattering news: 2.6.32 is based on 2.6.31.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 13:47 UTC (Tue) by ballombe (subscriber, #9523) [Link]
> Huh? So all the recent fix releases, such as 2.6.31.6, mean nothing? Can I have what they're smoking?
The post you quote is nearly one month old, and 2.6.31.6 was released today...
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 16:14 UTC (Tue) by hmh (subscriber, #3838) [Link]
That's not how it works.
2.6.30 was Bad, and coupled with some other Bad Stuff that crept in during 2.6.31-rc, the result was a sadist kernel that liked to deal major pain (2.6.31).
2.6.31.6 is probably getting into usable territory again, but it still has some important stuff waiting for fixes to land. 2.6.31.7/.8 will probably be acceptable.
These stable releases mean a LOT, they effectively transformed something that was sheer torture (2.6.31) into something one can use with minor pain (2.6.31.4), and now it should be already into "something one can use with occasional minor pains". When the e1000e and page reclaim fixes land in the next stable releases, 2.6.31.y should be almost painless for most users.
By the time 2.6.32 ships, the worst of the fallout from 2.6.30 and 2.6.31 will have been fixed for good (including the stuff that one doesn't fix on -stable releases due to complexity or risk), so, if whatever breakage gets introduced during 2.6.32-rc is not especially bad, it has some chance of being a good kernel.
The Debian kernel maintainers know what they're talking about.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 16:55 UTC (Tue) by nix (subscriber, #2304) [Link]
It massively corrupted my filesystem last night, but I think this was my fault, with what was in hindsight a horribly buggy tuxonice-debugging patch, which broke proper suspension of the block devices, following which ext4 tried to write to them, stamped on its own superblock then panicked and rebooted, leaving me with a desynchronized RAID array and all mounted filesystems with badly mashed block group descriptors and superblocks.
But fsck fixed them all flawlessly (zero differences from backup, I owe tytso yet another beer, by this point I owe him so many he could kill himself with alcohol on my tab) and I blame my own broken patch anyway.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 12:24 UTC (Wed) by jengelh (subscriber, #33263) [Link]
Up a number of parents:
>that the number of patches and/or important issues in 2.6.31 exceeds that for recent releases. Is this true?
Statistically, this seems to be the case.
v2.6.16.62: 1053 commits within 854 days (avg=1.23)
>If so, are there any lessons to be learned?
Also see it from the other side: rather than 2.6.31 being overly buggy, we just give it more bugfixing love than the previous ones.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 13, 2009 6:52 UTC (Fri) by njs (guest, #40338) [Link]
Your statistics are only valid if the patch rate for each stable series is constant over time. It seems more likely that patches flow in the fastest at the beginning of the stable series, and then the rate drops off over time. If that's the case, then your calculation will always show the most recently released kernel as being the worst, because it's the one that's still in that early part of the cycle. Better would be to compare the same period (the first 61 days) of each kernel.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 10, 2009 16:19 UTC (Tue) by madscientist (subscriber, #16861) [Link]
Last I heard, Red Hat is going to be using Linux 2.6.31 as a base for Red Hat EL 6... right? No doubt heavily patched but... that means something, IMO.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 11:18 UTC (Wed) by smadu2 (subscriber, #54943) [Link]
I thought Redhat usually goes with LTS kernels like 2.6.27 no ?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 12:12 UTC (Wed) by jengelh (subscriber, #33263) [Link]
RedHat? They are at 2.6.18 *right now*.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 12:20 UTC (Wed) by smadu2 (subscriber, #54943) [Link]
Sorry I meant their next EL version. Dont they usually stick with LTS kernels was my question.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 13:54 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
No. Red Hat has to maintain a single kernel version for 7 to 10 years. Upstream is never going to do that.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 14:26 UTC (Wed) by smadu2 (subscriber, #54943) [Link]
I am not sure if I can ask the question but do you know what kernel the next EL of Redhat is going to be based on ? Is it 2.6.31 based as somebody above mentioned ?
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 14:37 UTC (Wed) by rahulsundaram (subscriber, #21946) [Link]
Can't comment on that. There is no public information from Red Hat on that yet.
Stable kernels 2.6.31.6 and 2.6.27.39 released Posted Nov 11, 2009 15:04 UTC (Wed) by smadu2 (subscriber, #54943) [Link]
I understand, thanks.
|
|
||||||||||||