Bug 157459 - Multiple Kernel vulnerabilities
Multiple Kernel vulnerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: kernel (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh73, rh9, 1, 2, 3
: Security
: 168803 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-11 15:07 EDT by Pavel Kankovsky
Modified: 2007-04-18 13:25 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-16 19:49:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The patch for CAN-2005-1263 (1.69 KB, patch)
2005-05-11 18:08 EDT, Pavel Kankovsky
no flags Details | Diff
Patch based on RHEL changes (1.07 KB, patch)
2005-06-11 12:23 EDT, Jonathan Peatfield
no flags Details | Diff
Kernel issues (10.36 KB, application/vnd.oasis.opendocument.spreadsheet)
2006-01-27 20:30 EST, Marc Deslauriers
no flags Details
Same spreadsheet in OO.o 1.x format (10.12 KB, application/vnd.sun.xml.calc)
2006-02-01 17:30 EST, Marc Deslauriers
no flags Details
Updated kernel bug spreadsheet (10.75 KB, application/vnd.sun.xml.calc)
2006-02-07 23:19 EST, Marc Deslauriers
no flags Details

  None (edit)
Description Pavel Kankovsky 2005-05-11 15:07:15 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Mozilla rulez!)

Description of problem:
Paul Starzetz of iSEC has found yet another bug in binfmt_elf.c. It can be abused to crash the kernel, perhaps even to break into the kernel land. See the advisory for details.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:


Additional info:

I've got a quick and dirty patch. I'll submit it ASAP.
Comment 1 Pavel Kankovsky 2005-05-11 15:21:54 EDT
Grr...Bugzilla assigned the bug to kernel-maint@redhat.com rather than to
bugs@fedoralegacy.org
Comment 2 Pavel Kankovsky 2005-05-11 18:08:15 EDT
Created attachment 114264 [details]
The patch for CAN-2005-1263

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch can be applied to FL kernel 2.4.20-43:

402e548b02382c015d6f5e5704370a1ba546598b 
linux-2.4.20-CAN-2005-1263-elfcoredump.patch

When you run iSEC PoC code on it, it dies with SIGSEGV and dumps core
without any adverse effects to the system.

The patch is probably more intrusive than necessary because it makes three
changes addressing the following three problems:

- - potential invariant violation in create_elf_tables()
- - missing check of create_elf_tables()'s return value in load_elf_binary()
- - signedness problem in elf_core_dump()

A closer look at the code reveal that the second change is almost pointless
because a process with bprm->p == NULL is doomed to die anyway.

The first change might be redundant but I'd keep it because there might
be other pieces of code out there (/proc?) that would break when
arg_start > arg_end or env_start > env_end.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCgoIypaUY/d+KOrERAkHAAJ979TBtSbluXBHm3uSJZS039ogrvwCfRcJD
CzEgkfJGpuEX/iF38O+wvSQ=
=gL0s
-----END PGP SIGNATURE-----
Comment 3 Matthew Miller 2005-05-13 13:25:29 EDT
See bug #157454 for the FC3 kernel and their update.
Comment 4 Jonathan Peatfield 2005-06-06 12:59:39 EDT
The patch in RHEL (2.4.21-32.0.1.EL) seems to close the hole in a different way
(as far as I can tell).  In their patch (part of the much larger
linux-2.4.21-binfmt-elf.patch), it seems that they:

Initialise current->mm->arg_end, current->mm->env_start, current->mm->env_end to
0 (in both binfmt_aout.c and binfmt_elf.c), and add put a test for
current->mm->arg_end being non-null before copying data from user-space in
binfmt_elf.c after the memset(&psinfo, 0, sizeof(psinfo)); at about line 1076.

This is based on diffing the source/patch changes between 2.4.21-32.EL and
2.4.21-32.0.1.EL so may not include any changes they already made before that.

I'm happy to construct/test a patch based on the RHEL change if anyone is
interested.
Comment 5 Matthew Miller 2005-06-10 09:12:55 EDT
yes, am interested.
Comment 6 Jonathan Peatfield 2005-06-11 12:23:58 EDT
Created attachment 115324 [details]
Patch based on RHEL changes

Well here is the patch I constructed, it seems a bit small to be a full fix for
the issue, or maybe RHEL's patches already included a partial fix for this in
2.4.21-32.

Taking the -43 FL specfile, I just add:

# CAN-2005-1263 fix as done in RHEL 2.4.21-32.0.1.EL
Patch11036: CAN-2005-1263.exec.patch

This patch applies cleanly for me (on RH8 at least), though I've not yet
finished a build with this patch, yet alone checked if it fixes the issue.
Comment 7 Jonathan Peatfield 2005-06-11 12:26:47 EDT
Doh, clearly one also needs to add:

# CAN-2005-1263 patch
%patch11036 -p1

later in the specfile.  Not awake today...
Comment 8 Matthew Miller 2005-06-26 14:45:28 EDT
What's the state on this one?
Comment 9 Pavel Kankovsky 2005-07-04 19:26:19 EDT
Back to the trees! The bug (or most of it) has already been fixed in 2.4.20-43
by the following snippet of linux-RHEL-missing-fixes.patch:

--- linux-2.4.20/fs/binfmt_elf.c.stg0   Wed Aug  4 14:56:13 2004
+++ linux-2.4.20/fs/binfmt_elf.c        Wed Aug  4 15:06:43 2004
@@ -1048,7 +1048,7 @@
                int i, len;
 
                len = current->mm->arg_end - current->mm->arg_start;
-               if (len >= ELF_PRARGSZ)
+               if (len < 0 /* overflow */ || len >= ELF_PRARGSZ)
                        len = ELF_PRARGSZ-1;
                copy_from_user(&psinfo.pr_psargs,
                              (const char *)current->mm->arg_start, len);

It might be a good idea to add some extra fixes to enforce sane values of
arg_start, arg_end et alii under any circumstances (even in a.out) but RHEL
patch (attachment 115324 [details]) appears to be rather silly to me.
Comment 10 John Dalbec 2005-09-08 08:32:30 EDT
Does this affect us?

05.32.12 CVE: CAN-2005-1761
Platform: Linux
Title: Linux Kernel NFSACL Protocol XDR Data Remote Denial of Service
Description: Linux Kernel is affected by a remote denial of service
vulnerability when handling XDR data for the nfsacl protocol. An
attacker could leverage this issue to deny service to legitimate users
and possibly gain unauthorized access to the machine. Please refer the
link below for a list of vulnerable versions.
Ref: http://www.securityfocus.com/advisories/9010 
Comment 11 David Eisenstein 2005-10-03 07:04:55 EDT
From the way I read things, John, CAN-2005-1761 only affects IA64 CPUs.  We 
don't support IA64, so CAN-2005-1761 does not affect us AFAICT.

CAN-2005-1263:  
"The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to
2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users
to execute arbitrary code via an ELF binary that, in certain conditions
involving the create_elf_tables function, causes a negative length argument
to pass a signed integer comparison, leading to a buffer overflow."

Sounds pretty serious to me....

So does anyone want to build some .src.rpm's for the main (CAN-2005-1263) 
issue?

Has anyone built a 2.4.x kernel based on these patches?  Jonathan?  Pavel?
A 2.6.x kernel?  I can't tell from the above comments whether or not the 
patches submitted above have actually been tested or not....
Comment 12 Pekka Savola 2005-11-18 01:06:39 EST
*** Bug 168803 has been marked as a duplicate of this bug. ***
Comment 13 John Dalbec 2005-12-07 16:17:04 EST
    * 05.48.7 - CVE: CVE-2005-3275
    * Platform: Linux
    * Title: Linux Kernel NAT Handling Memory Corruption Denial of Service
    * Description: Linux Kernel is vulnerable to a denial of service issue. An
attacker can exploit this by causing two packets for the same protocol to be
NATed at the same time, resulting in a memory corruption. Please refer the links
below for a list of affected versions.
    * Ref: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.32
http://www.securityfocus.com/bid/15531/info 

    * 05.48.9 - CVE: CVE-2005-3272
    * Platform: Linux
    * Title: Linux Kernel Network Bridge Incorrectly Forwarded Packets
Information Disclosure
    * Description: The Linux Kernel is susceptible to an information disclosure
vulnerability in its network bridging functionality. When packet filtering on a
bridge, packets that are dropped by the packet filter result in an inappropriate
bridge forwarding database. Malicious users that send spoofed packets to an
affected firewall can cause the forwarding database to be updated in such a
fashion that packets that should not normally traverse the bridge are leaked
back to the attacker. Kernel versions 2.6.11.11 and prior are vulnerable to this
issue.
    * Ref: http://www.securityfocus.com/bid/15536 
Comment 14 Marc Deslauriers 2006-01-27 20:29:34 EST
I have made a spreadsheet of all the kernel issues I could find with their
status.  If I've missed any, please tell me. I will be making updated FL kernel
packages based on the spreadsheet.
Comment 15 Marc Deslauriers 2006-01-27 20:30:44 EST
Created attachment 123817 [details]
Kernel issues
Comment 16 Marc Deslauriers 2006-01-30 19:14:44 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated fc3 kernel packages to QA:

Changelog:
* Fri Jan 27 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.12-2.1.legacy_FC3
- - Added patches for:
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)


a9e90391d398e0db501632ad415f0cf5f3101bbd  kernel-2.6.12-2.1.legacy_FC3.i586.rpm
853fcc0e094cadf9538c67a2964c78c51572ba4e  kernel-2.6.12-2.1.legacy_FC3.i686.rpm
a03913be7b9960b5f683c53e6557b69663e052de  kernel-2.6.12-2.1.legacy_FC3.src.rpm
18f05ab567ce025cd0a445af3b13680efd6f1979  kernel-smp-2.6.12-2.1.legacy_FC3.i586.rpm
3b19af6db102be01ae11a1988ac7ea1cebe5db6c  kernel-smp-2.6.12-2.1.legacy_FC3.i686.rpm

http://www.infostrategique.com/linuxrpms/legacy/3/kernel-2.6.12-2.1.legacy_FC3.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD3q0oLMAs/0C4zNoRArAuAKCtsED6KOGhwlGp2Z057fkWUL7GAgCeOCMD
bfn/tTemPCF5yAwdVDZyHaE=
=8Dt4
-----END PGP SIGNATURE-----
Comment 17 Marc Deslauriers 2006-01-30 19:15:44 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated fc2 kernel packages to QA:

Changelog:
* Sat Jan 28 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.10-2.1.legacy_FC2
- - Added patches for:
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline)
  CVE-2005-0867 (signedness issue in sysfs)
  CVE-2005-0937 (futex mmap_sem deadlock)
  CVE-2005-0977 (tmpfs truncate bug)
  CVE-2005-1041 (crash while reading /proc/net/route)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1264 (data corruptor/local root in raw driver)
  CVE-2005-1265 (Prevent NULL mmap in topdown model)
  CVE-2005-1368 (key lookup race DoS)
  CVE-2005-1369 (i2c alarms sysfs DoS)
  CVE-2005-1761 (ia64 ptrace vulnerability)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-1763 (x86_64-ptrace-overflow crash)
  CVE-2005-2098 (key management session can leave semaphore pinned)
  CVE-2005-2099 (Destruction of failed keyring oopses)
  CVE-2005-2456 (IPSEC overflow)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2492 (Fix raw_sendmsg accesses)
  CVE-2005-2555 (IPSEC lacks restrictions)
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)

d87ebc435f09b44a39534d5c45d241d2c75e3034  kernel-2.6.10-2.1.legacy_FC2.i586.rpm
93a40aa21fa2afc091015d57d4d88a4c40f430db  kernel-2.6.10-2.1.legacy_FC2.i686.rpm
31338b2bbd71bc1ad241125792d19a658d7c53fb  kernel-2.6.10-2.1.legacy_FC2.src.rpm
b9acaad79f099e82ef5c1b3928fd503a10a3ec3a  kernel-smp-2.6.10-2.1.legacy_FC2.i586.rpm
d7e0b9d299141b681c611add813c7289de2efe67  kernel-smp-2.6.10-2.1.legacy_FC2.i686.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/kernel-2.6.10-2.1.legacy_FC2.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD3q2FLMAs/0C4zNoRAmVEAJ0cPf+ZMGWlB7+Y+43nhkyNg+6ACQCZAbEA
kQjM/TScS49jDLJhAXQQPIo=
=aj4x
-----END PGP SIGNATURE-----
Comment 18 Marc Deslauriers 2006-01-30 19:17:05 EST
rh73, rh9 and fc1 kernels to QA will follow in a couple of days.
Comment 19 David Eisenstein 2006-01-30 21:43:08 EST
Regarding Attachment #123817 [details], I cannot open this file...
Can you create a spreadsheet file with an .sxc extension for OpenOffice 1.1?

Thanks, Marc!
Comment 20 Marc Deslauriers 2006-02-01 17:30:27 EST
Created attachment 124004 [details]
Same spreadsheet in OO.o 1.x format
Comment 21 David Eisenstein 2006-02-03 01:22:45 EST
Thanks for the OO.o 1.x spreadsheet.  I am floored - that took tons of work!
Are you looking for someone to check and make sure no CVE's were missed?

Incidentally, was wondering if we want to fix the problem mentioned in Bug
162208 - "[PATCH] bonding: don't drop non-VLAN traffic"?

Quoting Bug 162208 comment #2, "John W. Linville of Red Hat has proposed
a patch for this issue for RHEL 4's kernel as attachment #121717 [details] in Bug
174671 comment #2.  When we next go in to build a FC2 kernel for a
security problem, this is a patch we could put in also.  This problem
may be present in FC1's and FC3's kernel as well."
Comment 22 Marc Deslauriers 2006-02-03 18:24:50 EST
Don't QA the FC2 kernel yet. I missed a ton of patches. I'll post a rebuild soon.

I haven't added the patch from bug 162208. There are a bunch of other patch
requests open in bugzilla also. We unfortunately don't have enough
resources/time to include anything other than security fixes for now.
Comment 23 Marc Deslauriers 2006-02-03 23:54:24 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated fc1 kernel source package to QA.
It has not been compile-tested yet.

Changelog:
* Thu Feb 02 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.4.22-1.2199.6.legacy.nptl
- - Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2553 (32-bit ptrace find_target() oops)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709 (sysctl races)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3180 (orinoco driver information leakage)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area minor info leak)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)

7ad6987740bc080d00e3d84b2450a35bed73f128  kernel-2.4.22-1.2199.6.legacy.nptl.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/kernel-2.4.22-1.2199.6.legacy.nptl.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD5DUbLMAs/0C4zNoRArexAKC7M+1HlEe39EbCqP7i1Xg8XVCpXgCguNkQ
dmjSSPhAVz+5YiEjcPZqQD0=
=x59p
-----END PGP SIGNATURE-----
Comment 24 Marc Deslauriers 2006-02-03 23:56:41 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated fc2 kernel source package to QA.
It has not been compile-tested.

Changelog:
* Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.10-2.2.legacy_FC2
- - Added patches for:
  CVE-2005-2800 (/proc/scsi/scsi DoS)
  CVE-2005-2801 (ext2/3 xattr sharing bug)
  CVE-2005-2872 (ipt_recent integer handling)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3053 (sys_set_mempolicy() bounds check)
  CVE-2005-3106 (exec_mmap race DoS)
  CVE-2005-3109 (HFS oops)
  CVE-2005-3110 (race in ebtables)
  CVE-2005-3180 (etherleak in orinoco)
  CVE-2005-3181 (names_cache memory leak)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area has minor info leak)
  CVE-2005-3848 (dst_entry leak DoS)
  CVE-2005-3858 (ip6_input_finish DoS)

* Sat Jan 28 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.10-2.1.legacy_FC2
- - Added patches for:
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline)
  CVE-2005-0867 (signedness issue in sysfs)
  CVE-2005-0937 (futex mmap_sem deadlock)
  CVE-2005-0977 (tmpfs truncate bug)
  CVE-2005-1041 (crash while reading /proc/net/route)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1264 (data corruptor/local root in raw driver)
  CVE-2005-1265 (Prevent NULL mmap in topdown model)
  CVE-2005-1368 (key lookup race DoS)
  CVE-2005-1369 (i2c alarms sysfs DoS)
  CVE-2005-1761 (ia64 ptrace vulnerability)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-1763 (x86_64-ptrace-overflow crash)
  CVE-2005-2098 (key management session can leave semaphore pinned)
  CVE-2005-2099 (Destruction of failed keyring oopses)
  CVE-2005-2456 (IPSEC overflow)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2492 (Fix raw_sendmsg accesses)
  CVE-2005-2555 (IPSEC lacks restrictions)
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)

f724adbaececd7b2b4ce9490b7133d20d8d6de07  kernel-2.6.10-2.2.legacy_FC2.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/kernel-2.6.10-2.2.legacy_FC2.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD5DWsLMAs/0C4zNoRAv8UAJ48asXNEjZh+m/xJ2DE5mU91kRTngCfeI45
29uWus4/bd9Ujbilf7mepAM=
=Nw7H
-----END PGP SIGNATURE-----
Comment 25 Marc Deslauriers 2006-02-03 23:59:39 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated rh9 and rh73 kernel source package to QA.
It has not been compile-tested yet.
It can be compiled for rh73 by changing the nptl switch near the
beginning of the spec file.

Changelog:
* Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers@videotron.ca> 2.4.20-44.9.legacy
- - Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0124 (coda fs flaw)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709 (sysctl races)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3180 (orinoco driver information leakage)
  CVE-2005-3273 (ROSE ndigis verification)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area minor info leak)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)

a0c0ac526cf62a6933c17abc6ec2217d38daeceb  kernel-2.4.20-44.9.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/kernel-2.4.20-44.9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD5DZOLMAs/0C4zNoRAgsXAKCR9GVKxdmCIxCFCbTVniqGT6fkQwCggwTq
ygZIu+nJTk+zl0BNMEa7KHg=
=0Ojt
-----END PGP SIGNATURE-----
Comment 26 Pekka Savola 2006-02-04 17:12:37 EST
I checked the patches in RHL9, and they were good based on upstream.

Two comments:
 - AFAICS, CVE-2005-3044 is 64-bit specific, isn't it?
 - compilation fails due to sysctl-unregister.patch:

+       struct proc_dir_entry *de = PDE(file->f_dentry->d_inode);

.. the error is:

kernel/kernel.o(.text+0xce16): In function `do_rw_proc': undefined reference to
`PDE'
Comment 27 Pekka Savola 2006-02-04 17:18:28 EST
I also checked the security updates in latest RHEL3 kernel updates (all the
updates since April 2005), did a grep in our kernel changelogs for CVE numbers,
and checked out some obvious ones based on bugzilla.

The following security issues *seem* to be ones we haven't addressed, or don't
apply in RHL73/RHL9 kernel.  Most of them seem very minor.

It's not clear whether we need to address these (or some of these), and if so,
whether to do so now, or when next respinning the updates.

The most important ones seem to be CVE-2002-2185 and CAN-2005-0210 (if applicable).

https://rhn.redhat.com/errata/RHSA-2006-0140.html on 2006-01-19:
----------------------------------------------------------------

- a flaw in network IGMP processing that a allowed a remote user on the
local network to cause a denial of service (disabling of multicast reports)
if the system is running multicast applications (CVE-2002-2185, moderate)
bz#174808

https://rhn.redhat.com/errata/RHSA-2005-663.html on 2005-09-28:
---------------------------------------------------------------

- a flaw in stack expansion that allowed a local user of mlockall()
to cause a denial of service (memory exhaustion) (CAN-2005-0179)
bz#144524

- a small memory leak in network packet defragmenting that allowed a
remote user to cause a denial of service (memory exhaustion) on
systems using netfilter (CAN-2005-0210)
bz#158724 [--note, this might be RHEL only, maybe related to IPsec
backport]]

https://rhn.redhat.com/errata/RHSA-2005-472.html on 2005-05-25:
---------------------------------------------------------------

A flaw in shared memory locking allowed local unprivileged users to lock
and unlock regions of shared memory segments they did not own
(CAN-2005-0176).
bz#142802

A flaw in the locking of SysV IPC shared memory regions allowed local
unprivileged users to bypass their RLIMIT_MEMLOCK resource limit
(CAN-2004-0491).
bz#126411

From https://rhn.redhat.com/errata/RHSA-2005-293.html on 2005-04-22:
--------------------------------------------------------------------

The ext3 and jfs code did not properly initialize journal descriptor
blocks. A privileged local user could read portions of kernel memory.
(CAN-2004-0177)
bz#121032

In addition to the security issues listed above, there was an important
fix made to the handling of the msync() system call for a particular case
in which the call could return without queuing modified mmap()'ed data for
file system update. (BZ 147969)
Comment 28 Marc Deslauriers 2006-02-04 23:20:37 EST
Thanks for the info Pekka.

Here is an updated rh9 and rh73 kernel source package to QA.

- I removed the CVE-2005-3044 patch
- I fixed the CVE-2005-2709 patch
- I added a patch for CVE-2002-2185
- CVE-2005-0179 is specific to RHEL3, the code doesn't look present in rh9
- CVE-2005-0210 is specific to RHEL3, the code doesn't look present in rh9
- CVE-2005-0176 is specific to RHEL3, the code doesn't look present in rh9
- CVE-2004-0491 is specific to RHEL3, the code doesn't look present in rh9
- CVE-2004-0177 was already fixed by FLSA:2336

It can be compiled for rh73 by changing the nptl switch near the
beginning of the spec file.

Changelog:
* Sat Feb 04 2006 Marc Deslauriers <marcdeslauriers@videotron.ca> 2.4.20-45.9.legacy
- Removed CVE-2005-3044 patch (it was 64-bit only)
- Fixed CVE-2005-2709 patch
- Added patch for CVE-2002-2185 (potential IGMP DoS)

* Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers@videotron.ca> 2.4.20-44.9.legacy
- Added patches for:
  CVE-2004-0791 (source quench DoS)
  CVE-2005-0124 (coda fs flaw)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2708 (user code panics kernel in exec.c)
  CVE-2005-2709 (sysctl races)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3180 (orinoco driver information leakage)
  CVE-2005-3273 (ROSE ndigis verification)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area minor info leak)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)

f706a64877d511608f765c60787caf3e1ab07aeb  kernel-2.4.20-45.9.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/kernel-2.4.20-45.9.legacy.src.rpm
Comment 29 Pekka Savola 2006-02-05 04:14:51 EST
It appears that CVE-2005-3272 mentioned in comment #13 also wasn't in the bug
spreadsheet, but AFAICS, RHEL hasn't fixed it either.

I took a look at FC1.

The following patches seem 64-bit specific, and we shouldn't need them:

./linux-2.4.22-CVE-2005-3044.patch:
./linux-2.4.22-CVE-2005-2553.patch:
./linux-2.4.22-CVE-2005-1762.patch:
./linux-2.4.22-CVE-2005-0756.patch:

The following patches exist on RHL9, and weren't in FC1 even though (according
to CVE and other notes), they should be applicable:

+./linux-2.4.29-CVE-2005-0124.patch: ASCII C program text
+./linux-2.4.29-CVE-2005-3273.patch: ASCII C program text

The others were OK.
Obviously, CVE-2002-2185 isn't there, but can be added later if need be.

Could you comment on these?

I hope someone can do the QA for FC2/FC3.

RHL73 and RHL9 are fine.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes good
 - patches verified (thanks for the good info on where they're from!)
 - RHL9 rebuilds and reboots

+PUBLISH RHL73, RHL9

f706a64877d511608f765c60787caf3e1ab07aeb  kernel-2.4.20-45.9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD5cLNGHbTkzxSL7QRArL6AJ4kGb+afmOQZgFAkY2Y0/sABa49vQCgiRyO
BcQ4gqy0Hx1wSdKAFS04uQI=
=+dxs
-----END PGP SIGNATURE-----
Comment 30 Marc Deslauriers 2006-02-05 08:26:14 EST
Fedora Legacy is getting a x86_64 build server. Jesse has mentioned that we will
probably be rebuilding all the released security updates for x86_64 starting
with FC1. The 64-bit kernel patches should stay.

In the FC1 kernel, CVE-2005-0124 and CVE-2005-3273 are both fixed by the
linux-2.4.29-rc2-security-fixes.patch patch.

CVE-2002-2185 is trivial, it can be added for the test build.
Comment 31 Pekka Savola 2006-02-06 02:41:34 EST
Hmm.  Something doesn't sound quite right about that.  We already have 5 distros
we're having hard time following.  You're saying we should add new arches to
those, bringing the total number (of VERIFY-testing) to at least 8 (and need to
add handling for many 64-bit specific bugs we've come across lately).
Comment 32 David Eisenstein 2006-02-06 06:03:04 EST
Comments 30 and 31 might be a good thing to discuss on the fedora-legacy-list.
See what others' thoughts are.
Comment 33 Marc Deslauriers 2006-02-07 23:13:50 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated fc3 kernel packages to QA:

Changelog:
* Tue Feb 07 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.12-2.2.legacy_FC3
- - Added patches for:
  CVE-2002-2185 (IGMP DoS)
  CVE-2005-3527 (do_coredump() vs SIGSTOP race)
  CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem)
  CVE-2006-0095 (dm-crypt key leak)
  CVE-2006-0454 (ICMP route double-free)
  CVE-2005-3807 (memory leak with file leases)

* Fri Jan 27 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.12-2.1.legacy_FC3
- - Added patches for:
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)


c3c03ddfa1154deaf389cc12a301e0fa34486197  kernel-2.6.12-2.2.legacy_FC3.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/3/kernel-2.6.12-2.2.legacy_FC3.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD6XGoLMAs/0C4zNoRAieTAKCJRyslurw+F7KG6TtmIPWe8NrrHgCffXE8
oj7nBgfCWhenfYBE3+nh21E=
=RDBo
-----END PGP SIGNATURE-----
Comment 34 Marc Deslauriers 2006-02-07 23:19:52 EST
Created attachment 124350 [details]
Updated kernel bug spreadsheet

What's in blue is what's fixed in the packages attached to this bug.
Comment 35 Marc Deslauriers 2006-02-11 10:43:11 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is, once more, an updated fc2 kernel source package to QA.
It has not been compile-tested.

Changelog:
* Fri Feb 10 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.10-2.3.legacy_FC2
- - Added patches for:
  CVE-2002-2185 (IGMP DoS)
  CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem)
  CVE-2005-3807 (memory leak with file leases)
  CVE-2006-0095 (dm-crypt key leak)

* Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.10-2.2.legacy_FC2
- - Added patches for:
  CVE-2005-2800 (/proc/scsi/scsi DoS)
  CVE-2005-2801 (ext2/3 xattr sharing bug)
  CVE-2005-2872 (ipt_recent integer handling)
  CVE-2005-2973 (ipv6 infinite loop)
  CVE-2005-3053 (sys_set_mempolicy() bounds check)
  CVE-2005-3106 (exec_mmap race DoS)
  CVE-2005-3109 (HFS oops)
  CVE-2005-3110 (race in ebtables)
  CVE-2005-3180 (etherleak in orinoco)
  CVE-2005-3181 (names_cache memory leak)
  CVE-2005-3275 (NAT DoS)
  CVE-2005-3276 (sys_get_thread_area has minor info leak)
  CVE-2005-3848 (dst_entry leak DoS)
  CVE-2005-3858 (ip6_input_finish DoS)

* Sat Jan 28 2006 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.6.10-2.1.legacy_FC2
- - Added patches for:
  CVE-2005-0756 (ptrace-check-segment x86_64 crash)
  CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline)
  CVE-2005-0867 (signedness issue in sysfs)
  CVE-2005-0937 (futex mmap_sem deadlock)
  CVE-2005-0977 (tmpfs truncate bug)
  CVE-2005-1041 (crash while reading /proc/net/route)
  CVE-2005-1263 (ELF core dump privilege elevation)
  CVE-2005-1264 (data corruptor/local root in raw driver)
  CVE-2005-1265 (Prevent NULL mmap in topdown model)
  CVE-2005-1368 (key lookup race DoS)
  CVE-2005-1369 (i2c alarms sysfs DoS)
  CVE-2005-1761 (ia64 ptrace vulnerability)
  CVE-2005-1762 (ptrace can induce double-fault on x86_64)
  CVE-2005-1763 (x86_64-ptrace-overflow crash)
  CVE-2005-2098 (key management session can leave semaphore pinned)
  CVE-2005-2099 (Destruction of failed keyring oopses)
  CVE-2005-2456 (IPSEC overflow)
  CVE-2005-2458 (gzip/zlib flaws)
  CVE-2005-2490 (compat layer sendmsg() races)
  CVE-2005-2492 (Fix raw_sendmsg accesses)
  CVE-2005-2555 (IPSEC lacks restrictions)
  CVE-2005-2709 (sysctl races)
  CVE-2005-3044 (lost fput and sockfd_put could lead to DoS)
  CVE-2005-3274 (ip_vs_conn_flush race condition DoS)
  CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open)
  CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy)
  CVE-2005-3784 (auto-reap DoS)
  CVE-2005-3806 (ipv6 flowlabel DOS)
  CVE-2005-3857 (lease printk DoS)
  CVE-2005-4605 (kernel memory disclosure via /proc exploit)

69aad0ec7acb370deff773a63a10a357b6c2dd24  kernel-2.6.10-2.3.legacy_FC2.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/kernel-2.6.10-2.3.legacy_FC2.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD4DBQFD7gfPLMAs/0C4zNoRAhGHAJdB9Vi9NZSQqoYHnSQIePybJ1uWAJ4vgVeE
mbPgTVTb2pEgvsG38xL8VA==
=c893
-----END PGP SIGNATURE-----
Comment 36 Johnny Wahnstroem 2006-02-14 12:32:12 EST
The kernel package above (kernel-2.6.10-2.3.legacy_FC2.src.rpm) compiles fine on
a FC2 SMP x86_64 Opteron machine.

There's a big problem though - the RPMs (kernel- and kernel-smp), upon
installation using "rpm -Uvh kernel*" removed all of my old (and currently
running) kernel sets . The grub.conf now only lists the two new kernels.

That is not the way a kernel RPMs usually installs - they should merely add
themselves to the installed kernels and add stanzas to /etc/grub.conf.
Comment 37 Jesse Keating 2006-02-14 12:38:08 EST
that is the way that -Uvh has always worked.  For kernels you want to -ivh. 
This is not a bug.
Comment 38 Johnny Wahnstroem 2006-02-14 12:43:02 EST
Oh boy...I'm eating my hat here. I just realised that the behaviour described
above is exactly what "rpm -U" is supposed to do. I ought to have used "rpm -i"...

Sorry about the wasted bandwidth. I'll see if I can clean up my own mess and
provide a more useful feedback of how the new kernel package works in practice...

I'm trying to figure out a recurring kernel panic/server freeze that occurs
about every two weeks. Since I've recently implemented a SSH connection
throttling using iptables and ipt_recent, I figured this kernel might sort it.
(CVE-2005-2872)

Again, my apologies.
Comment 39 Pekka Savola 2006-02-16 09:11:14 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                            
I was hoping someone else would do this, but in the interest of moving this
forward....
 
QA w/ rpm-build-compare.sh:
- - source integrity good
- - spec file changes minimal
- - patches verified to come from RHEL or upstream as indicated in the patch
  descriptions.  I did not verify whether FC2 or FC3 address all the known
  vulnerabilities.
 
Notes about patches:
 
- - FC2 doesn't include the following FC3 fix, through bugtraq notes indicate that
  2.6.10 should be affected?  Was it excluded intentionally?
     CVE-2005-3527 (do_coredump() vs SIGSTOP race)
 
- - CVE-2006-0454 patch source information (at least on FC3) is wrong,
  referring to a different bug, but the patch itself is OK.  Can be fixed at
  build time.
 
- - also checked that FC1 64-bit patches are OK, even though I'm against
  including 64-bit support for FC1; FC1 also required a few modifications
  (discussed above) at build time.
 
+PUBLISH FC1, FC2, FC3
 
7ad6987740bc080d00e3d84b2450a35bed73f128  kernel-2.4.22-1.2199.6.legacy.nptl.src.rpm
69aad0ec7acb370deff773a63a10a357b6c2dd24  kernel-2.6.10-2.3.legacy_FC2.src.rpm
c3c03ddfa1154deaf389cc12a301e0fa34486197  kernel-2.6.12-2.2.legacy_FC3.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                                            
iD8DBQFD9IkbGHbTkzxSL7QRAjKjAJ91W+2MEq0MLK6BwH+ILbTIATwHPQCgkXIY
xbmeeyUJCD0hStdEOFko6pM=
=hpHh
-----END PGP SIGNATURE-----
Comment 40 Matthew Miller 2006-02-16 09:39:32 EST
Sorry, haven't had time to review all of the patches. But we have been running
the FC3 kernel on a number of test machines with no obvious problems, so that's
a positive datapoint at leaset.
Comment 41 Marc Deslauriers 2006-02-16 18:21:30 EST
Thanks Pekka!

The code that is affected by CVE-2005-3527 doesn't look present in the FC2
source. If someone finds it, please let me know, we'll include it next time.

CVE-2006-0454 does indeed have wrong source info, I'll fix it when I build for
testing.

What were the modifications you needed for FC1? Was it the missing CVE-2002-2185
patch?
Comment 42 Pekka Savola 2006-02-17 00:42:46 EST
Yes, CVE-2002-2185.
Comment 43 Marc Deslauriers 2006-02-20 19:53:08 EST
Packages were pushed to updates-testing
Comment 44 Jim Popovitch 2006-02-25 00:28:59 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH73

Running on production web servers with no noticable issues.

488df87ec8914c665f2509688a06dbb7dc5cf476  kernel-2.4.20-45.7.legacy.i686.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD/+xKMyG7U7lo69MRAoZ5AJ9BM5SNoT+i8y+AsZnZE1H3JWtiAACgy9WL
+XdXxPplfz2SS/xKZtAUBos=
=sago
-----END PGP SIGNATURE-----
Comment 45 Pekka Savola 2006-02-25 02:58:12 EST
Thanks!
Comment 46 Marc Deslauriers 2006-03-05 14:15:30 EST
Updated packages were pushed to updates-testing to fix bug 183491.
Comment 47 Donald Maner 2006-03-05 19:00:43 EST
I would think that the timeout needs to be reset as well.
Comment 48 David Eisenstein 2006-03-06 03:55:40 EST
Yes ... and maybe rh73 should be re-verified?  I'll adjust the timeout for two
weeks from when the new packages were pushed to updates-testing for the moment.
We can discuss if it shouldn't be so long...  I intend to verify fc1 in the next
day or two, though.
Comment 49 Pekka Savola 2006-03-06 05:37:15 EST
Remember that the buggy patch was not introduced in *THIS* update, but the
previous one.  Hence, I think we shouldn't overdo the testing for these updates,
though a bit more testing seems warranted. I'd like to get the packages released
in a week.
Comment 50 David Eisenstein 2006-03-06 06:43:08 EST
Not unreasonable, Pekka.  One thing though - this is the *kernel*, and so far
we have had only one verify vote.  Considering how small a change this is, it
makes sense that rh73 likely does not need re-verifying.

So we can use verify votes for RH9, FC1, FC2 & FC3...

Downloading FC1 packages now...
Comment 51 Jim Popovitch 2006-03-06 08:48:58 EST
I am testing kernel-2.4.20-46.7 (RH73) this week (I don't expect any problems)
and will post a verify in a few days if all is well.
Comment 52 Pekka Savola 2006-03-09 08:13:02 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I've tested the -46 kernel package on RHL9.  RPM signatures are OK, installs
nicely, and seems to work fine.
 
+VERIFY RHL9
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEECsJGHbTkzxSL7QRAqJ6AJ4s3W56hmEVTxHS7q1GcpKuwsPtwQCgwnoI
PMKslikHYCdIlssTX0gn4SM=
=WENV
-----END PGP SIGNATURE-----
Comment 53 Jim Popovitch 2006-03-09 13:58:55 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VERIFY++  RH73

Works as expected.  Tested on production web/mail systems, no concerns.  Install
works find and no n
ecessary changes needed to reboot into new kernel.  Dmesg and /var/log/messages
show no   othing out
 of the ordinary.

82f9abe5137fe60c379e54ed4c30102e77a3d7ce  kernel-2.4.20-46.7.legacy.i686.rpm

- -Jim P.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEEHwJMyG7U7lo69MRAvwcAKDVsOP3hjuCFNpigFRtfp30PtuN0ACeJBEN
mpHf/MctSUSYJ70823YjL2E=
=cxK1
-----END PGP SIGNATURE-----
Comment 54 David Eisenstein 2006-03-12 16:23:34 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Test results for FC1 kernel:

70e345e1ff5427a4aa41fb4b72155e6ba73fcc38__kernel-2.4.22-1.2199.8.legacy.nptl.i586.rpm

	Fedora Core release 1 (Yarrow)
	Kernel 2.4.22-1.2199.8.legacy.nptl on an i586

	twinkfed login:

   * Booted fine
   * Ran everything fine for most of a day.
   * Did not test for any of the vulnerabilities.
   * Shut down fine.
   * No issues with this kernel.  Seems to work great.

 VERIFY++ FC1   kernel-2.4.22-1.2199.8.legacy.nptl.i586.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEFJJNxou1V/j9XZwRAo8HAJ4+OZAsiarlXmRliY8o1mXe/gEpqwCffmq8
dh8gUt+5I+Tz0tK/VCmXrUs=
=cOrs
-----END PGP SIGNATURE-----
Comment 55 Pekka Savola 2006-03-13 01:33:18 EST
Thanks Jim, David.

Timeout over.
Comment 56 Marc Deslauriers 2006-03-16 19:49:02 EST
Packages were pushed to updates.

Note You need to log in before you can comment on or make changes to this bug.