update changelog, reformatting to new conventions;
drop unusued sockglue patch (included in 2.6.12.6) svn path=/dists/sid/linux-2.6/; revision=4127
This commit is contained in:
Andres Salomon
parent
929ce1d9db
commit
2e1747ab4b
|
|
@ -2,44 +2,30 @@ linux-2.6 (2.6.12-6) UNRELEASED; urgency=low
|
|||
|
||||
[ Andres Salomon, Bastian Blank ]
|
||||
* Change ATM and Classical-IP-over-ATM to be modular, instead of being
|
||||
statically included.
|
||||
(closes: #323143)
|
||||
statically included. (closes: #323143)
|
||||
|
||||
[ Sven Luther ]
|
||||
* [powerpc]
|
||||
- Added pmac-sound sanity check patch.
|
||||
- Added preliminary apus patch, not applied though.
|
||||
* [powerpc] powerpc-pmac-sound-check.patch: Added pmac-sound sanity check.
|
||||
* [powerpc] powerpc-apus.patch:
|
||||
Added preliminary apus patch to package, not applied to kernel tree yet.
|
||||
|
||||
[ Simon Horman ]
|
||||
* Unset CC_OPTIMIZE_FOR_SIZE in i386 config,
|
||||
it breaks iproute's (and other netlink users) ability
|
||||
to set routes. (closes: #322723)
|
||||
|
||||
* net-sockglue-cap.patch
|
||||
[Security] Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
See CAN-2005-2555.
|
||||
|
||||
* zlib deflateBound() patch added as part of the 2.6.12.5 patch in
|
||||
2.6.12-3 now has a CAN number.
|
||||
See CAN-2005-2457
|
||||
|
||||
* Added 2.6.12.6
|
||||
- [Security] Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
See CAN-2005-2555.
|
||||
- [Maybe-Security: Can remote traffic trigger this]
|
||||
Fix DST leak in icmp_push_reply()
|
||||
- [Maybe-Security: Seems like a local DoS]
|
||||
NPTL signal delivery deadlock fix
|
||||
- [SECURITY: CAN-2005-2555] Restrict socket policy loading to
|
||||
CAP_NET_ADMIN.
|
||||
- [SECURITY] Fix DST leak in icmp_push_reply(). Possible remote
|
||||
DoS?
|
||||
- [SECURITY] NPTL signal delivery deadlock fix; possible local
|
||||
DoS.
|
||||
- fix gl_skb/skb type error in genelink driver in usbnet
|
||||
- [Maybe-Security: Seems like a local DoS]
|
||||
fix a memory leak in devices seq_file implementation
|
||||
- [Maybe-Security: Seems like a local DoS]
|
||||
Fix SKB leak in ip6_input_finish()
|
||||
|
||||
* amd64-insert_vm_struct-leak.patch
|
||||
[Security] TASK_SIZE fixes for compatibility mode processes
|
||||
See CAN-2005-2617
|
||||
*
|
||||
- [SECURITY] fix a memory leak in devices seq_file implementation;
|
||||
local DoS.
|
||||
- [SECURITY] Fix SKB leak in ip6_input_finish(); local DoS.
|
||||
* [SECURITY: CAN-2005-2617] amd64-insert_vm_struct-leak.patch
|
||||
TASK_SIZE fixes for compatibility mode processes.
|
||||
|
||||
-- Simon Horman <horms@debian.org> Thu, 1 Sep 2005 17:02:35 +0900
|
||||
|
||||
|
|
@ -110,7 +96,7 @@ linux-2.6 (2.6.12-3) unstable; urgency=low
|
|||
- [security] Zlib fixes See CAN-2005-2458, CAN-2005-2459
|
||||
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
|
||||
http://bugs.gentoo.org/show_bug.cgi
|
||||
- Add zlib deflateBound()
|
||||
- [security] Add zlib deflateBound(). See CAN-2005-2457
|
||||
- [security] Fix error during session join. See CAN-2005-2098
|
||||
- [security] Fix keyring destructor. See CAN-2005-2099
|
||||
- Module per-cpu alignment cannot always be met
|
||||
|
|
|
|||
|
|
@ -1,39 +0,0 @@
|
|||
From: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Sat, 6 Aug 2005 13:33:15 +0000 (-0700)
|
||||
Subject: [IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
X-Git-Tag: v2.6.13-rc6
|
||||
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2
|
||||
|
||||
[IPSEC]: Restrict socket policy loading to CAP_NET_ADMIN.
|
||||
|
||||
The interface needs much redesigning if we wish to allow
|
||||
normal users to do this in some way.
|
||||
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
|
||||
--- a/net/ipv4/ip_sockglue.c
|
||||
+++ b/net/ipv4/ip_sockglue.c
|
||||
@@ -848,6 +848,9 @@ mc_msf_out:
|
||||
|
||||
case IP_IPSEC_POLICY:
|
||||
case IP_XFRM_POLICY:
|
||||
+ err = -EPERM;
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ break;
|
||||
err = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
--- a/net/ipv6/ipv6_sockglue.c
|
||||
+++ b/net/ipv6/ipv6_sockglue.c
|
||||
@@ -504,6 +504,9 @@ done:
|
||||
break;
|
||||
case IPV6_IPSEC_POLICY:
|
||||
case IPV6_XFRM_POLICY:
|
||||
+ retv = -EPERM;
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ break;
|
||||
retv = xfrm_user_policy(sk, optname, optval, optlen);
|
||||
break;
|
||||
|
||||
Loading…
Reference in New Issue