|
|
Subscribe / Log in / New account

Security

A rootkit dissected

By Jake Edge
November 21, 2012

A recently discovered Linux rootkit has a number of interesting attributes that make it worth a look. While it demonstrates the power that a rootkit has (to perform its "job" as well as hide itself from detection) this particular rootkit also has some fairly serious bugs—some that are almost comical. What isn't known, at least yet, is how the system where it was discovered became infected; there is no exploit used by the rootkit to propagate itself.

The rootkit was reported to the full-disclosure mailing list on November 13 by "stack trace". Customers had noticed that they were being redirected to malicious sites by means of an <iframe> in the HTTP responses from Stack Trace's site. Stack Trace eventually found that the Nginx web server on the system was not delivering the <iframe> and tracked it to a loadable kernel module, which was attached to the posting. Since then, both CrowdStrike and Kaspersky Lab's Threatpost have analyzed the module's behavior.

The first step for a rootkit is to get itself running in the kernel. That can be accomplished by means of a loadable kernel module. In this case, the module is targeted at the most recent 64-bit kernel version used by Debian 6.0 ("Squeeze"):

    /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko 
The presence of that file would indicate infection, though a look at the process list is required to determine if the rootkit is actually loaded. Once loaded, the module has a number of different tasks to perform that are described below. The CrowdStrike post has even more detail for those interested.

The rootkit targets HTTP traffic, so that it can inject an <iframe> containing an attack: either a malicious URL or some kind of JavaScript-based attack. In order to do that in a relatively undetectable way, it must impose itself into the kernel's TCP send path. It does so by hooking tcp_sendmsg().

Of course, that function and other symbols that the rootkit wants to access are not exported symbols that would be directly accessible to a kernel module. So the rootkit uses /proc/kallsyms to get the addresses it needs. Amusingly, there is code to fall back to looking for the proper System.map to parse for the addresses, but it is never used due to a bug. Even though the kernel version is hardcoded in several places in the rootkit, the System.map helper function actually uses uname -r to get the version. The inability to fall back to checking System.map, along with this version-getting oddity make it seem like multiple people—with little or no inter-communication—worked on the code. Other odd bugs in the rootkit only add to that feeling.

For example, when hooking various functions, the rootkit carefully saves away the five bytes it needs to overwrite with a jmp instruction, but then proceeds to write 19 bytes at the start of the function. That obliterates 14 bytes of code, which eliminates any possibility of unhooking the function. Beyond that, it can't call the unhooked version of the function either, so the rootkit contains private copies of all the functions it hooks.

Beyond hooking tcp_sendmsg(), the rootkit also attempts to hide its presence. There is code to hide the files that it installs, as well as its threads. The file hiding works well enough by hooking vfs_readdir() and using a list of directories and files that should not be returned. Fortunately (or unfortunately, depending on one's perspective), the thread hiding doesn't work at all. It uses the same file-hiding code, but doesn't look in /proc nor convert the names into PIDs, so ps and other tools show the threads. In the original report, Stack Trace noted two threads named get_http_inj_fr and write_startup_c; those names are fairly descriptive given the behavior being seen. The presence of one or both of those names in the process list would mean that the system has the rootkit loaded.

The rootkit does successfully remove itself from the list of loaded modules. It directly iterates down the kernel's module list and deletes the entry for itself. That way lsmod will not list the module, but it also means that it cannot be unloaded, obviating the "careful" preparations in the hooked functions for that eventuality.

As with other malware (botnets in particular), the rootkit has a "command and control" client. That client contacts a particular server (at a hosting service in Germany) for information about what to inject in the web pages. There is some simple, weak encryption used on the link for both authentication and obfuscation of the message.

Beyond just missing a way to propagate to other systems, the rootkit is also rather likely to fail to persist after a reboot. It has code to continuously monitor and alter /etc/rc.local to add an insmod for the rootkit module. It also hooks vfs_read() to look for the exact insmod line and adjusts the buffer to hide that line from anyone looking at the file. But it just appends the command to rc.local, which means that on a default installation of Debian Squeeze it ends up just after an exit 0 line.

Like much of the rest of the rootkit, the HTTP injection handling shows an odd mix of reasonably sensible choices along with some bugs. It looks at the first buffer to be sent to the remote side, verifies that its source port is 80 and that it is not being sent to the loopback address. It also compares the destination IP address with a list of 1708 search engine IP addresses, and does no further processing if it is on the list.

One of the bugs that allowed Stack Trace to diagnose the problem is the handling of status codes. Instead of looking for the 200 HTTP success code, the rootkit looks for three strings on a blacklist that correspond to HTTP failures. That list is not exhaustive, so Stack Trace was able to see the injection in a 400 HTTP error response. Beyond that, the rootkit cleverly handles chunked Transfer-Encodings and gzip Content-Encodings, though the latter does an in-kernel decompress-inject-compress cycle that could lead to noticeable server performance problems.

None of the abilities of the rootkit are particularly novel, though it is interesting to see them laid bare like this. As should be obvious, a rootkit can do an awful lot in a Linux system, and has plenty of ways to hide its tracks. While this rootkit only hid some of its tracks, some of that may have happened after the initial development. The CrowdStrike conclusion is instructive here: "Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer."

The question of how the rootkit was installed to begin with is still open. Given the overall code quality, CrowdStrike is skeptical that some "custom privilege escalation exploit" was used. That implies that some known but unpatched vulnerability (perhaps in a web application) or some kind of credential leak (e.g. the root password or an SSH key) was the culprit. Until and unless some mass exploit is used to propagate an upgraded version of the rootkit, it is really only of academic interest—except, of course, to anyone whose system is already infected.

Comments (16 posted)

Brief items

Security quotes of the week

So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.
-- Marta Janus

I do stay awake at night worrying that people are tagging my photo on Facebook, which could allow the New York Police Dept to submit a photo of protesters to Facebook and get a list of names and addresses of the people in the photo. Or it could allow the police to track my movements via existing networks of surveillance cameras by matching my image to my name. Would that require a search warrant? How would that impact my trust in my government to know that my movements are being tracked? Or worse, to know they might be tracked but I'll never know if [they] are or aren't?
-- Jamie McClelland

The ITU is the wrong place to make decisions about the future of the Internet.

Only governments have a voice at the ITU. This includes governments that do not support a free and open Internet. Engineers, companies, and people that build and use the web have no vote.

The ITU is also secretive. The treaty conference and proposals are confidential.

-- Google is concerned about a closed-door International Telecommunication Union (ITU) meeting in December

Comments (2 posted)

Attacking hardened Linux systems with kernel JIT spraying

The "main is usually a function" blog has a discussion on the use of "Jit spraying" techniques to attack the kernel, even when features like supervisor-mode execution prevention are turned on. "JIT spraying is a viable tactic when we (the attacker) control the input to a just-in-time compiler. The JIT will write into executable memory on our behalf, and we have some control over what it writes. Of course, a JIT compiling untrusted code will be careful with what instructions it produces. The trick of JIT spraying is that seemingly innocuous instructions can be trouble when looked at another way."

Comments (44 posted)

New Linux Rootkit Emerges (Threat Post)

Threat Post reports the discovery of a rootkit that targets 64-bit Linux systems. "The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites."

Comments (13 posted)

New vulnerabilities

java-1.5.0-ibm: two vulnerabilities

Package(s):java-1.5.0-ibm CVE #(s):CVE-2012-4820 CVE-2012-4822
Created:November 16, 2012 Updated:November 23, 2012
Description:

From the Red Hat advisory:

CVE-2012-4820 IBM JDK: java.lang.reflect.Method invoke() code execution

CVE-2012-4822 IBM JDK: java.lang.class code execution

Alerts:
Red Hat RHSA-2012:1485-01 java-1.4.2-ibm 2012-11-22
Red Hat RHSA-2012:1466-01 java-1.6.0-ibm 2012-11-15
Red Hat RHSA-2012:1465-01 java-1.5.0-ibm 2012-11-15
Red Hat RHSA-2012:1467-01 java-1.7.0-ibm 2012-11-15

Comments (none posted)

java-1.6.0-ibm: code execution

Package(s):java-1.6.0-ibm CVE #(s):CVE-2012-4823
Created:November 16, 2012 Updated:November 21, 2012
Description:

From the Red Hat advisory:

CVE-2012-4823 IBM JDK: java.lang.ClassLoder defineClass() code execution

Alerts:
Red Hat RHSA-2012:1467-01 java-1.7.0-ibm 2012-11-15
Red Hat RHSA-2012:1466-01 java-1.6.0-ibm 2012-11-15

Comments (none posted)

java-1.7.0-ibm: code execution

Package(s):java-1.7.0-ibm CVE #(s):CVE-2012-4821
Created:November 16, 2012 Updated:November 21, 2012
Description:

From the Red Hat advisory:

CVE-2012-4821 IBM JDK: getDeclaredMethods() and setAccessible() code execution

Alerts:
Red Hat RHSA-2012:1467-01 java-1.7.0-ibm 2012-11-15

Comments (none posted)

kdelibs: multiple vulnerabilities

Package(s):kdelibs CVE #(s):CVE-2012-4515 CVE-2012-4514
Created:November 16, 2012 Updated:February 18, 2013
Description:

From the Fedora advisory:

Bug #865831 - CVE-2012-4515 kdelibs: Use-after-free when context menu being used whilst the document DOM is being changed from within JavaScript

Bug #869681 - CVE-2012-4514 kdelibs (khtml): NULL pointer dereference when trying to reuse a frame with null part

Alerts:
Gentoo 201406-31 konqueror 2014-06-27
Mageia MGASA-2013-0054 kdelibs4 2013-02-16
openSUSE openSUSE-SU-2013:0127-1 kdelibs 2013-01-23
Fedora FEDORA-2012-17385 kdelibs 2012-11-16
openSUSE openSUSE-SU-2012:1581-1 kdelibs4 2012-11-28
Fedora FEDORA-2012-17388 kdelibs 2012-11-16

Comments (none posted)

libtiff: code execution

Package(s):tiff CVE #(s):CVE-2012-4564
Created:November 15, 2012 Updated:December 31, 2012
Description:

From the Ubuntu advisory:

Huzaifa S. Sidhpurwala discovered that the ppm2tiff tool incorrectly handled certain malformed PPM images. If a user or automated system were tricked into opening a specially crafted PPM image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. (CVE-2012-4564)

Alerts:
Fedora FEDORA-2014-6831 mingw-libtiff 2014-06-10
Fedora FEDORA-2014-6837 mingw-libtiff 2014-06-10
Gentoo 201402-21 tiff 2014-02-21
Slackware SSA:2013-290-01 libtiff 2013-10-18
Mandriva MDVSA-2013:046 libtiff 2013-04-05
openSUSE openSUSE-SU-2013:0187-1 tiff 2013-01-23
Fedora FEDORA-2012-20404 libtiff 2012-12-31
Fedora FEDORA-2012-20446 libtiff 2012-12-31
Scientific Linux SL-libt-20121219 libtiff 2012-12-19
Oracle ELSA-2012-1590 libtiff 2012-12-19
Oracle ELSA-2012-1590 libtiff 2012-12-18
CentOS CESA-2012:1590 libtiff 2012-12-19
CentOS CESA-2012:1590 libtiff 2012-12-19
Red Hat RHSA-2012:1590-01 libtiff 2012-12-18
Mandriva MDVSA-2012:174 libtiff 2012-11-22
Ubuntu USN-1631-1 tiff 2012-11-15
Debian DSA-2575-1 tiff 2012-11-18
Mageia MGASA-2012-0332 libtiff 2012-11-17

Comments (none posted)

libunity-webapps: code execution

Package(s):libunity-webapps CVE #(s):CVE-2012-4551
Created:November 21, 2012 Updated:November 21, 2012
Description: From the Ubuntu advisory:

It was discovered that libunity-webapps improperly handled certain hash tables. A remote attacker could use this issue to cause libunity-webapps to crash, or possibly execute arbitrary code.

Alerts:
Ubuntu USN-1635-1 libunity-webapps 2012-11-21

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox, thunderbird CVE #(s):CVE-2012-4201 CVE-2012-4202 CVE-2012-4207 CVE-2012-4209 CVE-2012-4210 CVE-2012-4214 CVE-2012-4215 CVE-2012-4216 CVE-2012-5829 CVE-2012-5830 CVE-2012-5833 CVE-2012-5835 CVE-2012-5839 CVE-2012-5840 CVE-2012-5841 CVE-2012-5842
Created:November 21, 2012 Updated:January 8, 2013
Description: From the Red Hat advisory:

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842)

A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-4202)

A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges. (CVE-2012-4210)

A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2012-4207)

A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins. (CVE-2012-4209)

A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks. (CVE-2012-5841)

A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks. (CVE-2012-4201)

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
openSUSE openSUSE-SU-2013:0175-1 mozilla 2013-01-23
Gentoo 201301-01 firefox 2013-01-07
Debian DSA-2588-1 icedove 2012-12-16
Debian DSA-2584-1 iceape 2012-12-08
Debian DSA-2583-1 iceweasel 2012-12-08
Mageia MGASA-2012-0353 iceape 2012-12-07
Fedora FEDORA-2012-18683 firefox 2012-11-22
CentOS CESA-2012:1483 thunderbird 2012-11-22
CentOS CESA-2012:1482 firefox 2012-11-22
Scientific Linux SL-thun-20121121 thunderbird 2012-11-21
Oracle ELSA-2012-1483 thunderbird 2012-11-21
Oracle ELSA-2012-1482 firefox 2012-11-21
SUSE SUSE-SU-2012:1592-1 Mozilla Firefox 2012-11-29
openSUSE openSUSE-SU-2012:1586-1 xulrunner 2012-11-28
openSUSE openSUSE-SU-2012:1583-1 firefox 2012-11-28
Mageia MGASA-2012-0343 thunderbird 2012-11-23
Ubuntu USN-1638-2 ubufox 2012-11-21
Ubuntu USN-1636-1 thunderbird 2012-11-21
Slackware SSA:2012-326-03 thunderbird 2012-11-21
Slackware SSA:2012-326-01 seamonkey 2012-11-21
Fedora FEDORA-2012-18683 thunderbird-enigmail 2012-11-22
Fedora FEDORA-2012-18683 thunderbird 2012-11-22
Fedora FEDORA-2012-18931 seamonkey 2012-12-04
openSUSE openSUSE-SU-2012:1585-1 thunderbird 2012-11-28
Mageia MGASA-2012-0342 firefox 2012-11-23
Slackware SSA:2012-326-02 firefox 2012-11-21
Oracle ELSA-2012-1482 firefox 2012-11-21
Fedora FEDORA-2012-18683 xulrunner 2012-11-22
Fedora FEDORA-2012-18683 thunderbird-lightning 2012-11-22
Mandriva MDVSA-2012:173 firefox 2012-11-21
Red Hat RHSA-2012:1483-01 thunderbird 2012-11-20
Fedora FEDORA-2012-18952 seamonkey 2012-12-04
Ubuntu USN-1638-3 firefox 2012-12-03
openSUSE openSUSE-SU-2012:1584-1 seamonkey 2012-11-28
Ubuntu USN-1638-1 firefox 2012-11-21
CentOS CESA-2012:1483 thunderbird 2012-11-22
CentOS CESA-2012:1482 firefox 2012-11-22
Scientific Linux SL-fire-20121121 firefox 2012-11-21
Red Hat RHSA-2012:1482-01 firefox 2012-11-20

Comments (none posted)

mysql: multiple unspecified vulnerabilities

Package(s):mysql CVE #(s):CVE-2012-0540 CVE-2012-1689 CVE-2012-1734 CVE-2012-2749
Created:November 15, 2012 Updated:October 17, 2013
Description:

From the Red Hat advisory:

833737 - CVE-2012-2749 mysql: crash caused by wrong calculation of key length for sort order index

841349 - CVE-2012-0540 mysql: unspecified vulnerability related to GIS extension DoS (CPU Jul 2012)

841351 - CVE-2012-1689 mysql: unspecified vulnerability related to Server Optimizer DoS (CPU Jul 2012)

841353 - CVE-2012-1734 mysql: unspecified vulnerability related to Server Optimizer DoS (CPU Jul 2012)

Alerts:
Gentoo 201308-06 mysql 2013-08-29
Gentoo GLSA 201308-06:02 mysql 2013-08-30
Mandriva MDVSA-2013:008 mysql 2013-02-06
Scientific Linux SL-mysq-20130123 mysql 2013-01-23
Oracle ELSA-2013-0180 mysql 2013-01-22
CentOS CESA-2013:0180 mysql 2013-01-22
Red Hat RHSA-2013:0180-01 mysql 2013-01-22
Scientific Linux SL-mysq-20121115 mysql 2012-11-15
Oracle ELSA-2012-1462 mysql 2012-11-14
CentOS CESA-2012:1462 mysql 2012-11-15
Red Hat RHSA-2012:1462-01 mysql 2012-11-14

Comments (none posted)

phpmyadmin: cross-site scripting

Package(s):phpmyadmin CVE #(s):CVE-2012-5339 CVE-2012-5368
Created:November 20, 2012 Updated:November 21, 2012
Description: From the CVE entries:

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger. (CVE-2012-5339)

phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code. (CVE-2012-5368)

Alerts:
openSUSE openSUSE-SU-2012:1507-1 phpmyadmin 2012-11-20

Comments (none posted)

python-keyring: weak cryptography

Package(s):python-keyring CVE #(s):CVE-2012-4571
Created:November 21, 2012 Updated:December 4, 2013
Description: From the Ubuntu advisory:

Dwayne Litzenberger discovered that Python Keyring's CryptedFileKeyring file format used weak cryptography. A local attacker may use this issue to brute-force CryptedFileKeyring keyring files.

Alerts:
Fedora FEDORA-2013-22694 python-keyring 2013-12-04
Ubuntu USN-1634-1 python-keyring 2012-11-20

Comments (none posted)

ruby: denial of service

Package(s):ruby CVE #(s):CVE-2012-5371
Created:November 19, 2012 Updated:December 7, 2012
Description: From the Red Hat bugzilla:

Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x and the 2.0.0 preview [1].

As noted in the upstream report:

Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity.

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.

Ruby 1.8.x is not noted as being affected by this flaw.

Alerts:
Debian-LTS DLA-263-1 ruby1.9.1 2015-07-01
Gentoo 201412-27 ruby 2014-12-13
openSUSE openSUSE-SU-2013:0376-1 ruby19 2013-03-01
Red Hat RHSA-2013:0582-01 openshift 2013-02-28
Ubuntu USN-1733-1 ruby1.9.1 2013-02-21
Slackware SSA:2012-341-04 ruby 2012-12-06
Fedora FEDORA-2012-18017 ruby 2012-11-19

Comments (none posted)

typo3-src: multiple vulnerabilities

Package(s):typo3-src CVE #(s):
Created:November 16, 2012 Updated:November 21, 2012
Description:

From the Debian advisory:

Several vulnerabilities were discovered in TYPO3, a content management system. This update addresses cross-site scripting, SQL injection, and information disclosure vulnerabilities and corresponds to TYPO3-CORE-SA-2012-005.

Alerts:
Debian DSA-2574-1 typo3-src 2012-11-15

Comments (none posted)

weechat: code execution

Package(s):weechat CVE #(s):CVE-2012-5854
Created:November 19, 2012 Updated:November 28, 2012
Description: From the CVE entry:

Heap-based buffer overflow in WeeChat 0.3.6 through 0.3.9 allows remote attackers to cause a denial of service (crash or hang) and possibly execute arbitrary code via crafted IRC colors that are not properly decoded.

Alerts:
Gentoo 201405-03 weechat 2014-05-03
Mandriva MDVSA-2013:136 weechat 2013-04-10
openSUSE openSUSE-SU-2013:0150-1 weechat 2013-01-23
Fedora FEDORA-2012-19538 weechat 2012-12-11
Fedora FEDORA-2012-19533 weechat 2012-12-11
openSUSE openSUSE-SU-2012:1580-1 weechat 2012-11-28
Mageia MGASA-2012-0330 weechat 2012-11-17
Fedora FEDORA-2012-18006 weechat 2012-11-19
Fedora FEDORA-2012-17973 weechat 2012-11-19

Comments (none posted)

xen: multiple vulnerabilities

Package(s):Xen CVE #(s):CVE-2012-3497 CVE-2012-4535 CVE-2012-4536 CVE-2012-4537 CVE-2012-4538 CVE-2012-4539
Created:November 16, 2012 Updated:December 24, 2012
Description:

From the SUSE advisory:

* CVE-2012-4535: xen: Timer overflow DoS vulnerability (XSA 20)

* CVE-2012-4536: xen: pirq range check DoS vulnerability (XSA 21)

* CVE-2012-4537: xen: Memory mapping failure DoS vulnerability (XSA 22)

* CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability (XSA 23)

* CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability (XSA 24)

* CVE-2012-3497: xen: multiple TMEM hypercall vulnerabilities (XSA-15)

Alerts:
Gentoo 201604-03 xen 2016-04-05
SUSE SUSE-SU-2014:0470-1 Xen 2014-04-01
SUSE SUSE-SU-2014:0446-1 Xen 2014-03-25
Gentoo 201309-24 xen 2013-09-27
openSUSE openSUSE-SU-2012:1687-1 xen 2012-12-23
openSUSE openSUSE-SU-2012:1685-1 xen 2012-12-23
Debian DSA-2582-1 xen 2012-12-07
Oracle ELSA-2012-1540 kernel 2012-12-05
Scientific Linux SL-kern-20121206 kernel 2012-12-06
SUSE SUSE-SU-2012:1615-1 Xen 2012-12-06
SUSE SUSE-SU-2012:1487-1 Xen 2012-11-16
openSUSE openSUSE-SU-2012:1573-1 XEN 2012-11-26
openSUSE openSUSE-SU-2012:1572-1 XEN 2012-11-26
Fedora FEDORA-2012-18242 xen 2012-11-23
SUSE SUSE-SU-2012:1486-1 Xen 2012-11-16
Fedora FEDORA-2012-18249 xen 2012-11-23
SUSE SUSE-SU-2012:1503-1 libvirt 2012-11-19
CentOS CESA-2012:1540 kernel 2012-12-05
Red Hat RHSA-2012:1540-01 kernel 2012-12-04

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds