move retired to the top level hierarchy so people can easily checkout just the active issues

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@548 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 38 insertions, 0 deletions

diff --git a/retired/CVE-2003-0018 b/retired/CVE-2003-0018
new file mode 100644
index 00000000..d89c0b09
--- /dev/null
+++ b/retired/CVE-2003-0018
@@ -0,0 +1,38 @@
+Candidate: CVE-2003-0018
+References: 
+ DEBIAN:DSA-358
+ DEBIAN:DSA-423
+ MANDRAKE:MDKSA-2003:014
+ REDHAT:RHSA-2003:025
+ BID:6763
+ XF:linux-odirect-information-leak(11249)
+Description: 
+ Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the
+ O_DIRECT feature, which allows local attackers with write privileges to
+ read portions of previously deleted files, or cause file system
+ corruption.
+Notes: 
+ dannf> It looks like the fix that was used in woody is to diable
+ dannf> O_DIRECT.  Is this the upstream fix?
+ dannf> http://linux.bkbits.net:8080/linux-2.4/cset@3da0af3a87N78_-K9uAzGF_5cLsRkA?nav=index.html|tags|ChangeSet@..1.717.1.11
+ dannf> I've asked hch via e-mail
+ .
+ dannf> and here's his response:
+ .
+ The big O_DIRECT issues we had a while ago involved redoing large parts of
+ the locking so it's definitily not the patch above.  It was fixed in 2.4.2x
+ for x = 2 or 3 IIRC.  The 2.5.27 kernels in sarge ff are definitly okay.
+ .
+ dannf> Therefore, I'm marking >= sarge kernels N/A
+Bugs: 
+upstream: 
+linux-2.6: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.4.19-woody-security: released (2.4.19-4.woody3)
+2.4.18-woody-security: released (2.4.18-10)
+2.4.17-woody-security: released (2.4.17-1woody4)
+2.4.16-woody-security: released (2.4.16-1woody3)
+2.4.17-woody-security-hppa: released (32.5)
+2.4.17-woody-security-ia64: released (011226.14.1)
+2.4.18-woody-security-hppa: released (62.4)