Bug 838961 - CVE-2012-3375 not included in the Kernel changelog for kernel-2.6.18-308.11.1.el5.src.rpm
CVE-2012-3375 not included in the Kernel changelog for kernel-2.6.18-308.11.1...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.8
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Red Hat Kernel Manager
Red Hat Kernel QE team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-10 10:00 EDT by Johnny Hughes
Modified: 2012-07-10 12:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-10 11:37:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Johnny Hughes 2012-07-10 10:00:02 EDT
Description of problem:
The latest kernel in RHEL-5 (kernel-2.6.18-308.11.1.el5.src.rpm) is described here:
http://rhn.redhat.com/errata/RHSA-2012-1061.html

That description says the bug fixes CVE-2012-3375, however that CVE is NOT in the changelog for the kernel.

Also, in looking at the kernel changelog, the following entries are detailed:

* Fri Jun 15 2012 Alexander Gordeev <agordeev@redhat.com> [2.6.18-308.11.1.el5]
* Thu Jun 14 2012 Alexander Gordeev <agordeev@redhat.com> [2.6.18-308.10.1.el5]
* Wed Jun 06 2012 Alexander Gordeev <agordeev@redhat.com> [2.6.18-308.9.1.el5]
* Fri May 04 2012 Alexander Gordeev <agordeev@redhat.com> [2.6.18-308.8.1.el5]

Note:  There was a 2.6.18-308.8.2.el5 kernel released on Jun2 12th, however there is no 2.6.18-308.8.2.el5 entry in this kernel.  Are all the 2.6.18-308.8.2.el5 changes also included in the 2.6.18-308.11.1.el5 kernel?
Comment 1 Vincent Danen 2012-07-10 11:37:55 EDT
Hi, Johnny.  The changelog entry in question for CVE-2012-3375 is:

- [fs] epoll: clear the tfile_check_list on -ELOOP (Jason Baron) [829670 817131]

The 2.6.18-308.2.el5 kernel was to fix some xen issues:

https://rhn.redhat.com/errata/RHSA-2012-0721.html

Those fixes are included in and noted in the 2.6.18-308.10.1.el5 changelog:

* Thu Jun 14 2012 Alexander Gordeev <agordeev@redhat.com> [2.6.18-308.10.1.el5]
- [xen] x86_64: check address on trap handlers or guest callbacks (Paolo Bonzini) [813430 813431] {CVE-2012-0217}
- [xen] x86_64: Do not execute sysret with a non-canonical return address (Paolo Bonzini) [813430 813431] {CVE-2012-0217}
- [xen] x86: prevent hv boot on AMD CPUs with Erratum 121 (Laszlo Ersek) [824969 824970] {CVE-2012-2934}

The primary difference in the changelog from 308.8.2.el5 vs 308.10.1.el5 is that the CVE name was not known at the time of 308.8.2.el5 for the last issue (CVE-2012-2934).

I suspect the same may be true here, and a future kernel will note that CVE name.

To answer the second question, yes, those fixes are present in 308.11.1.el5.

Note You need to log in before you can comment on or make changes to this bug.