Mike Pagano's Weblog

Gentoo kernel versions and the latest vulerabilities

October 5, 2010 5 Gentoo

Let’s talk about kernel releases, the latest two kernel vulnerabilities, and what vanilla or gentoo-sources you should be running.

The two vulnerabilities I’m talking about are:

CVE-2010-3301 (http://bugs.gentoo.org/show_bug.cgi?id=337645)
CVE-2010-3081 (http://bugs.gentoo.org/show_bug.cgi?id=337659)

Kernel Versions

2.6.32
>=gentoo-sources-2.6.32-r18 and vanilla-sources-2.6.32.23 contain the fixes for both CVE-2010-3081 and CVE-2010-3301.
stable request: http://bugs.gentoo.org/show_bug.cgi?id=338317

2.6.34
>=gentoo-sources-2.6.34-r11 (and no vanilla 2.6.34) contain the fixes for both CVE-2010-3081 and CVE-2010-3301.
stable request: http://bugs.gentoo.org/show_bug.cgi?id=339819

2.6.35
>=gentoo-sources-2.6.35-r8 >= vanilla-sources-2.6.35.5 contain the fixes for both CVE-2010-3081 and CVE-2010-3301.
2.6.35 will only be stabilized after the new baselayout 1.2.14-r1 has been in the tree for 30 days. I described the problem in an earlier blog post so I will not rehash the whole story

If *anyone* feels a kernel version needs to be stabilized we have this cool thing called bugzilla.  Open a bug! We also have this other cool thing (I don’t think Gentoo invented it, not sure) called IRC.  I am on IRC 24/7 and will always look to see if someone highlights my name. Talk to me first. Then feel free to bash me if I don’t respond in our user’s best interest. I always try to do what’s best for the community and if I am slacking, it’s only due to life/wife/family/job.

The gentoo-sources team actively supports gentoo-source users. No matter the keyword state. We used to only support two versions (current release and 1 – current release). But now we support the latest upstream LTS as well.

We would also welcome any users or devs who are interested in maintaining the kernel at Gentoo to join the team.

Hope this helps clarify things, always feel free to reach out to me.

Mike

5 Comments

  1. Alexander E. Patrakov

    Many thanks for making a fixed 2.6.34 kernel. I use it now.

  2. Kevin Bowling

    Mike,

    I’d like to join the kernel team. Would you be willing to mentor me through the dev test? Lets set up a meeting on IRC.

    Regards,
    Kevin

  3. Rich0

    FYI – the main reason I didn’t just ping you on IRC about this was that there had been back-and-forth on the existing bugs and gentoo-security about the issue, and there had not been any notice to end-users.

    The blog post was as much about sending an FYI to users that we’re still vulnerable as raising awareness. I guess a news item would work, but in theory we should be able to stabilize a kernel as fast as we could approve a news item anyway.

    It really wasn’t my intention to send jabs or anything like that, it really wasn’t.

  4. krwi

    Is hardened-source affected too?

  5. grimmlin

    Hi,

    There seems to be a swap bug in 2.6.35 related to KSM. I could only hit it with small ram configuration : http://forums.gentoo.org/viewtopic-t-848026-start-0-postdays-0-postorder-asc-highlight-.html

    I saw a few mm/swap commits in linux-next regarding race conditions and deadlock (link on the forum post).

    Cheers

Leave a Comment

Your email address will not be published. Required fields are marked *