From 6471f3dab8b9f08bf043c1fcc49f8a0bf467300a Mon Sep 17 00:00:00 2001
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 30 Apr 2007 17:08:05 +0000
Subject: retire several issues

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@774 e094ebfe-e918-0410-adfb-c712417f3574
---
 active/CVE-2006-3634  | 21 ---------------------
 active/CVE-2006-3741  | 20 --------------------
 active/CVE-2006-3745  | 20 --------------------
 active/CVE-2006-4145  | 20 --------------------
 active/CVE-2006-4535  | 20 --------------------
 active/CVE-2006-4538  | 24 ------------------------
 active/CVE-2006-4813  | 23 -----------------------
 active/CVE-2006-4997  | 19 -------------------
 active/CVE-2006-5158  | 23 -----------------------
 active/CVE-2006-5173  | 26 --------------------------
 active/CVE-2006-5174  | 22 ----------------------
 active/CVE-2006-5648  | 28 ----------------------------
 active/CVE-2006-5649  | 24 ------------------------
 active/CVE-2006-5749  | 30 ------------------------------
 active/CVE-2006-6304  | 14 --------------
 retired/CVE-2006-3634 | 21 +++++++++++++++++++++
 retired/CVE-2006-3741 | 20 ++++++++++++++++++++
 retired/CVE-2006-3745 | 20 ++++++++++++++++++++
 retired/CVE-2006-4145 | 20 ++++++++++++++++++++
 retired/CVE-2006-4535 | 20 ++++++++++++++++++++
 retired/CVE-2006-4538 | 24 ++++++++++++++++++++++++
 retired/CVE-2006-4813 | 23 +++++++++++++++++++++++
 retired/CVE-2006-4997 | 19 +++++++++++++++++++
 retired/CVE-2006-5158 | 23 +++++++++++++++++++++++
 retired/CVE-2006-5173 | 26 ++++++++++++++++++++++++++
 retired/CVE-2006-5174 | 22 ++++++++++++++++++++++
 retired/CVE-2006-5648 | 28 ++++++++++++++++++++++++++++
 retired/CVE-2006-5649 | 24 ++++++++++++++++++++++++
 retired/CVE-2006-5749 | 30 ++++++++++++++++++++++++++++++
 retired/CVE-2006-6304 | 14 ++++++++++++++
 30 files changed, 334 insertions(+), 334 deletions(-)
 delete mode 100644 active/CVE-2006-3634
 delete mode 100644 active/CVE-2006-3741
 delete mode 100644 active/CVE-2006-3745
 delete mode 100644 active/CVE-2006-4145
 delete mode 100644 active/CVE-2006-4535
 delete mode 100644 active/CVE-2006-4538
 delete mode 100644 active/CVE-2006-4813
 delete mode 100644 active/CVE-2006-4997
 delete mode 100644 active/CVE-2006-5158
 delete mode 100644 active/CVE-2006-5173
 delete mode 100644 active/CVE-2006-5174
 delete mode 100644 active/CVE-2006-5648
 delete mode 100644 active/CVE-2006-5649
 delete mode 100644 active/CVE-2006-5749
 delete mode 100644 active/CVE-2006-6304
 create mode 100644 retired/CVE-2006-3634
 create mode 100644 retired/CVE-2006-3741
 create mode 100644 retired/CVE-2006-3745
 create mode 100644 retired/CVE-2006-4145
 create mode 100644 retired/CVE-2006-4535
 create mode 100644 retired/CVE-2006-4538
 create mode 100644 retired/CVE-2006-4813
 create mode 100644 retired/CVE-2006-4997
 create mode 100644 retired/CVE-2006-5158
 create mode 100644 retired/CVE-2006-5173
 create mode 100644 retired/CVE-2006-5174
 create mode 100644 retired/CVE-2006-5648
 create mode 100644 retired/CVE-2006-5649
 create mode 100644 retired/CVE-2006-5749
 create mode 100644 retired/CVE-2006-6304

diff --git a/active/CVE-2006-3634 b/active/CVE-2006-3634
deleted file mode 100644
index 6038ddbe5..000000000
--- a/active/CVE-2006-3634
+++ /dev/null
@@ -1,21 +0,0 @@
-Candidate: CVE-2006-3634
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bafe00cc9297ca77b66e5c83e5e65e17c0c997c8
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13492c50f69bdf60a42debc6bd3ec49cc1dc941e
-Description: 
- The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in
- Linux kernel 2.6.17-rc4 to 2.6.18-rc2 performs the atomic futex operation
- with user space addresses instead of kernel space addresses, which allows
- local users to cause a denial of service (crash).
-Ubuntu-Description:
-Notes: 
- dannf> s390 didn't have a futex.h until after 2.6.16
-Bugs: 
-upstream: released (2.6.18-rc2)
-linux-2.6: released (2.6.17-1)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy: ignored
diff --git a/active/CVE-2006-3741 b/active/CVE-2006-3741
deleted file mode 100644
index ef3e5c814..000000000
--- a/active/CVE-2006-3741
+++ /dev/null
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-3741
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b8444d00762703e1b6146fce12ce2684885f8bf6
-Description: 
- The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and
- 2.6 before 2.6.18, when running on Itanium systems, does not properly
- track the reference count for file descriptors, which allows local
- users to cause a denial of service (file descriptor consumption).
-Ubuntu-Description:
-Notes:
- dannf> I don't think 2.4 is affected - there are no existing calls to fput
-Bugs: 
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [perfmon-fd-refcnt.dpatch]
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: ignored
-2.6.12-breezy-security: ignored
-2.6.15-dapper-security: ignored
-2.6.17-edgy: released (2.6.17-10.31)
diff --git a/active/CVE-2006-3745 b/active/CVE-2006-3745
deleted file mode 100644
index a3355ba43..000000000
--- a/active/CVE-2006-3745
+++ /dev/null
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-3745
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=96ec9da385cf72c5f775e5f163420ea92e66ded2
- http://www.kernel.org/git/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=e12289f0bc673dabb22be32d2df54b0ebfc7cf2b
-Description: sctp potential local privilege escalation
-Ubuntu-Description:
- Wei Wang of McAfee Avert Labs discovered a buffer overflow in the
- sctp_make_abort_user() function of iptables' SCTP module. On
- computers which use this module, a local attacker could expoit this
- to execute arbitrary code with root privileges.
-Notes: 
-Bugs: 
-upstream: released (2.6.18-rc5)
-linux-2.6: released (2.6.17-7)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [sctp-priv-elevation.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [228_sctp-priv-elevation.diff]
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.47)
-2.6.17-edgy: released (2.6.17-10.31)
diff --git a/active/CVE-2006-4145 b/active/CVE-2006-4145
deleted file mode 100644
index 05fb39d27..000000000
--- a/active/CVE-2006-4145
+++ /dev/null
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-4145
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=7127be29378b1230eb8dd8b84f18d6b69c56e959
-Description: 
- Fix possible UDF deadlock and memory corruption
-Ubuntu-Description:
- The UDF file system does not handle extends larger than 1 GB, but did
- not check for this restriction on truncating files. A local user
- could exploit this to crash the kernel.
-Notes:
- dannf> Submitted upstream on 2006.08.27
-Bugs: 
-upstream: released (2.6.17.10), released (2.6.18-rc5)
-linux-2.6: released (2.6.17-7)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [udf-deadlock.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [231_udf-deadlock.diff]
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.47)
-2.6.17-edgy: released (2.6.17-10.30)
diff --git a/active/CVE-2006-4535 b/active/CVE-2006-4535
deleted file mode 100644
index b624c6648..000000000
--- a/active/CVE-2006-4535
+++ /dev/null
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-4535
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b9ac86727fc02cc7117ef3fe518a4d51cd573c82
-Description: 
- fix for CVE-2006-3745 sctp fix from dave miller
-Ubuntu-Description:
- Sridhar Samudrala discovered a local Denial of Service vulnerability
- in the handling of SCTP sockets. By opening such a socket with a
- special SO_LINGER value, a local attacker could exploit this to crash
- the kernel.
-Notes: 
-Bugs: 
-upstream: released (2.6.18-rc6)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [sctp-priv-elevation-2.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [228_sctp-priv-elevation-2.diff]
-2.6.10-hoary-security: released (2.6.10-34.24)
-2.6.12-breezy-security: released (2.6.12-10.40)
-2.6.15-dapper-security: released (2.6.15-27.48)
-2.6.17-edgy: released (2.6.17-10.31)
diff --git a/active/CVE-2006-4538 b/active/CVE-2006-4538
deleted file mode 100644
index 210f9fb8e..000000000
--- a/active/CVE-2006-4538
+++ /dev/null
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-4538
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3a459756810912d2c2bf188cef566af255936b4d
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=8833ebaa3f4325820fe3338ccf6fae04f6669254
-Description: 
- Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC
- platforms, allows local users to cause a denial of service (crash) via
- a malformed ELF file that triggers memory maps that cross region
- boundaries.
-Ubuntu-Description:
- Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
- platforms did not sufficiently verify the memory layout. By
- attempting to execute a specially crafted executable, a local user
- could exploit this to crash the kernel.
-Notes: 
-Bugs: 
-upstream: released (2.6.18-rc7)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [ia64-sparc-cross-region-mappings.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [233_ia64-sparc-cross-region-mappings.diff]
-2.6.10-hoary-security: released (2.6.10-34.24)
-2.6.12-breezy-security: released (2.6.12-10.40)
-2.6.15-dapper-security: released (2.6.15-27.48)
-2.6.17-edgy: released (2.6.17-10.31)
diff --git a/active/CVE-2006-4813 b/active/CVE-2006-4813
deleted file mode 100644
index 6045237e9..000000000
--- a/active/CVE-2006-4813
+++ /dev/null
@@ -1,23 +0,0 @@
-Candidate: CVE-2006-4813
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=152becd26e0563aefdbc4fd1fe491928efe92d1f
-Description: 
- The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13
- does not properly clear buffers during certain error conditions, which allows local
- users to read portions of files that have been unlinked.
-Ubuntu-Description:
- Dmitriy Monakhov discovered an information leak in the
- __block_prepare_write() function. During error recovery, this
- function did not properly clear memory buffers which could allow
- local users to read portions of unlinked files.
-Notes: 
- dannf> I don't think 2.4 is affected because the BH_New bit is not
- dannf> cleared after get_block returns - marking 2.4.27 N/A
-Bugs: 
-upstream: released (2.6.13-rc1)
-linux-2.6: released (2.6.13-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [__block_prepare_write-recovery.dpatch]
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (CVE-2006-4813)
-2.6.15-dapper-security: released
-2.6.17-edgy: released
diff --git a/active/CVE-2006-4997 b/active/CVE-2006-4997
deleted file mode 100644
index cb7582f76..000000000
--- a/active/CVE-2006-4997
+++ /dev/null
@@ -1,19 +0,0 @@
-Candidate: CVE-2006-4997
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fe26109a9dfd9327fdbe630fc819e1b7450986b2
-Description: 
- IP over ATM clip_mkip dereference freed pointer
-Ubuntu-Description:
- ADLab Venustech Info Ltd discovered that the ATM network driver
- referenced an already released pointer in some circumstances. By
- sending specially crafted packets to a host over ATM, a remote
- attacker could exploit this to crash that host.
-Notes: 
-Bugs: 
-upstream: released (2.4.34-pre4, 2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [atm-clip-freed-skb-deref.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [234_atm-clip-freed-skb-deref.diff]
-2.6.12-breezy-security: released (2.6.12-10.41)
-2.6.15-dapper-security: released (2.6.15-27.49)
-2.6.17-edgy: released (2.6.17-10.31)
diff --git a/active/CVE-2006-5158 b/active/CVE-2006-5158
deleted file mode 100644
index 7c3c692c8..000000000
--- a/active/CVE-2006-5158
+++ /dev/null
@@ -1,23 +0,0 @@
-Candidate: CVE-2006-5158
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9b5b1f5bf9dcdb6f23abf65977a675eb4deba3c0
-Description: 
- The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel
- before 2.6.16 allows remote attackers to cause a denial of service
- (process crash) and deny access to NFS exports via unspecified
- vectors that trigger a kernel oops (null dereference) and a deadlock.
-Ubuntu-Description:
- Matthias Andree discovered that the NFS locking management daemon
- (lockd) did not correctly handle mixing of 'lock' and 'nolock' option
- mounts on the same client. A remote attacker could exploit this to
- crash lockd and thus rendering the NFS imports inaccessible.
-Notes: 
- Bug introduced in 2.6.9, fixed in 2.6.15-rc6
-Bugs: 
-upstream: 
-linux-2.6:
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.41)
-2.6.15-dapper-security: N/A
-2.6.17-edgy: N/A
diff --git a/active/CVE-2006-5173 b/active/CVE-2006-5173
deleted file mode 100644
index 9f18d25ec..000000000
--- a/active/CVE-2006-5173
+++ /dev/null
@@ -1,26 +0,0 @@
-Candidate: CVE-2006-5173
-References: 
- http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=47a5c6fa0e204a2b63309c648bb2fde36836c826
-Description:
- Alignment Check (AC) flag in EFLAGS is not saved/restored during task
- switch, thus was leaking to other tasks. Those eventually died with a
- SIGBUS.
-Ubuntu-Description:
- The task switching code did not save and restore EFLAGS of processes.
- By starting a specially crafted executable, a local attacker could
- exploit this to eventually crash many other running processes.
-Notes: 
- incorrect optimization in some later 2.6.x kernel, reverted
- Local DoS.
-
- Are we sure this affects 2.6.17 and before? The CFI_ADJUST_CFA_OFFSET
- doesn't seem to be present in these kernels.
-Bugs: 
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: released (2.6.15-27.49)
-2.6.17-edgy: released (2.6.17.1-10.34)
diff --git a/active/CVE-2006-5174 b/active/CVE-2006-5174
deleted file mode 100644
index 104818194..000000000
--- a/active/CVE-2006-5174
+++ /dev/null
@@ -1,22 +0,0 @@
-Candidate: CVE-2006-5174 
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8
-Description: 
- The copy_from_user function in the uaccess code in Linux kernel 2.6
- before 2.6.19-rc1, when running on s390, does not properly clear a
- kernel buffer, which allows local user space programs to read
- portions of kernel memory by "appending to a file from a bad
- address," which triggers a fault that prevents the unused memory from
- being cleared in the kernel buffer. 
-Ubuntu-Description:
-Notes: 
- jmm> Fix from 2.6.18-3 was reverted, caused problems
-Bugs: 
-upstream: released (2.6.18.1)
-linux-2.6: needed
-2.6.8-sarge-security: released (2.6.8-16sarge6) [s390-uaccess-memleak.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [236_s390-uaccess-memleak.diff]
-2.6.10-hoary-security: ignored
-2.6.12-breezy-security: ignored
-2.6.15-dapper-security: ignored
-2.6.17-edgy: ignored
diff --git a/active/CVE-2006-5648 b/active/CVE-2006-5648
deleted file mode 100644
index 1c7760728..000000000
--- a/active/CVE-2006-5648
+++ /dev/null
@@ -1,28 +0,0 @@
-Candidate: CVE-2006-5648
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=69588298188b40ed7f75c98a6fd328d82f23ca21
-Description: 
- The sys_[gs]et_robust_list() syscalls were wired up on PowerPC but
- didn't work correctly because futex_atomic_cmpxchg_inatomic() wasn't
- implemented.  Implement it, based on __cmpxchg_u32().
-Ubuntu-Description:
- Fabio Massimo Di Nitto discovered that the sys_get_robust_list and
- sys_set_robust_list system calls lacked proper lock handling on the
- powerpc platform. A local attacker could exploit this to create
- unkillable processes, drain all available CPU/memory, and render the
- machine unrebootable.
-Notes: 
- http://ozlabs.org/pipermail/linuxppc-dev/2006-October/027338.html
- dannf> Looks like sparc is also vulnerable in 2.6.18, see:
-        http://lists.debian.org/debian-kernel/2006/12/msg00787.html
-        But, as this is a powerpc specific CVE, I'll mark Debian as ok
-Bugs: 
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: released (2.6.17.1-10.34)
-2.6.19-feisty: released
diff --git a/active/CVE-2006-5649 b/active/CVE-2006-5649
deleted file mode 100644
index a89f6951c..000000000
--- a/active/CVE-2006-5649
+++ /dev/null
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-5649
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4393c4f6788cee65095dd838cfeca6edefbfeb52
-Description: 
- The alignment exception used to only check the exception table for
- -EFAULT, not for other errors. That opens an oops window if we can
- coerce the kernel into getting an alignment exception for other
- reasons in what would normally be a user-protected accessor, which
- can be done via some of the futex ops. This fixes it by always
- checking the exception tables.
-Ubuntu-Description:
- Fabio Massimo Di Nitto discovered a flaw in the alignment check
- exception handling on the powerpc platform. A local attacker could
- exploit this to cause a kernel panic and crash the machine.
-Notes: 
- http://ozlabs.org/pipermail/linuxppc-dev/2006-October/027338.html
-Bugs: 
-upstream: released (2.6.19-rc5), released (2.6.18.3)
-linux-2.6: released (2.6.18-4)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [ppc-alignment-exception-table-check.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [235_ppc-alignment-exception-table-check.diff]
-2.6.12-breezy-security: released (2.6.12-10.41)
-2.6.15-dapper-security: released (2.6.15-27.49)
-2.6.17-edgy-security: released (2.6.17.1-10.34)
diff --git a/active/CVE-2006-5749 b/active/CVE-2006-5749
deleted file mode 100644
index 0bfc2472f..000000000
--- a/active/CVE-2006-5749
+++ /dev/null
@@ -1,30 +0,0 @@
-Candidate: CVE-2006-5749
-References: 
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dab6df63086762629936e8b89a5984bae39724f6
-Description: 
- The isdn_ppp_ccp_reset_alloc_state function in
- drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4
- does not call the init_timer function for the ISDN PPP CCP reset
- state timer, which has unknown attack vectors and results in a system
- crash.
-Ubuntu-Description: 
- Al Viro reported that the ISDN PPP module did not initialize the
- reset state timer. By sending specially crafted ISDN packets, a
- remote attacker could exploit this to crash the kernel.
-Notes: 
- dannf> According to Marcel Holtmann, 2.4 and 2.6 < 2.6.13 are not vulnerable.
- dannf> Indeed, in 2.4.27 & 2.6.8, init_timer() just sets timer->base to NULL,
- dannf> so the memset() is sufficient to avoid this crash.
- dannf> However, in 2.6.8 init_timer() also sets a magic number. add_timer()
- dannf> will call __mod_timer(), which calls check_timer(), which will cause
- dannf> the kernel to whine if this magic number is not set. I don't think this
- dannf> will cause a crash, so I'm considering a non-security issue
-Bugs: 
-upstream: released (2.6.20-rc5)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-10)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/active/CVE-2006-6304 b/active/CVE-2006-6304
deleted file mode 100644
index 931f85755..000000000
--- a/active/CVE-2006-6304
+++ /dev/null
@@ -1,14 +0,0 @@
-Candidate: CVE-2006-6304
-References: 
-Description: 
-Ubuntu-Description: 
-Notes: Only 2.6.19 affected
-Bugs: 
-upstream: 
-linux-2.6: 
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: N/A
diff --git a/retired/CVE-2006-3634 b/retired/CVE-2006-3634
new file mode 100644
index 000000000..6038ddbe5
--- /dev/null
+++ b/retired/CVE-2006-3634
@@ -0,0 +1,21 @@
+Candidate: CVE-2006-3634
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bafe00cc9297ca77b66e5c83e5e65e17c0c997c8
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13492c50f69bdf60a42debc6bd3ec49cc1dc941e
+Description: 
+ The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in
+ Linux kernel 2.6.17-rc4 to 2.6.18-rc2 performs the atomic futex operation
+ with user space addresses instead of kernel space addresses, which allows
+ local users to cause a denial of service (crash).
+Ubuntu-Description:
+Notes: 
+ dannf> s390 didn't have a futex.h until after 2.6.16
+Bugs: 
+upstream: released (2.6.18-rc2)
+linux-2.6: released (2.6.17-1)
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.10-hoary-security: N/A
+2.6.12-breezy-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy: ignored
diff --git a/retired/CVE-2006-3741 b/retired/CVE-2006-3741
new file mode 100644
index 000000000..ef3e5c814
--- /dev/null
+++ b/retired/CVE-2006-3741
@@ -0,0 +1,20 @@
+Candidate: CVE-2006-3741
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b8444d00762703e1b6146fce12ce2684885f8bf6
+Description: 
+ The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and
+ 2.6 before 2.6.18, when running on Itanium systems, does not properly
+ track the reference count for file descriptors, which allows local
+ users to cause a denial of service (file descriptor consumption).
+Ubuntu-Description:
+Notes:
+ dannf> I don't think 2.4 is affected - there are no existing calls to fput
+Bugs: 
+upstream: released (2.6.18)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: released (2.6.8-16sarge6) [perfmon-fd-refcnt.dpatch]
+2.4.27-sarge-security: N/A
+2.6.10-hoary-security: ignored
+2.6.12-breezy-security: ignored
+2.6.15-dapper-security: ignored
+2.6.17-edgy: released (2.6.17-10.31)
diff --git a/retired/CVE-2006-3745 b/retired/CVE-2006-3745
new file mode 100644
index 000000000..a3355ba43
--- /dev/null
+++ b/retired/CVE-2006-3745
@@ -0,0 +1,20 @@
+Candidate: CVE-2006-3745
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=96ec9da385cf72c5f775e5f163420ea92e66ded2
+ http://www.kernel.org/git/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=e12289f0bc673dabb22be32d2df54b0ebfc7cf2b
+Description: sctp potential local privilege escalation
+Ubuntu-Description:
+ Wei Wang of McAfee Avert Labs discovered a buffer overflow in the
+ sctp_make_abort_user() function of iptables' SCTP module. On
+ computers which use this module, a local attacker could expoit this
+ to execute arbitrary code with root privileges.
+Notes: 
+Bugs: 
+upstream: released (2.6.18-rc5)
+linux-2.6: released (2.6.17-7)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [sctp-priv-elevation.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge4) [228_sctp-priv-elevation.diff]
+2.6.10-hoary-security: released (2.6.10-34.23)
+2.6.12-breezy-security: released (2.6.12-10.37)
+2.6.15-dapper-security: released (2.6.15-26.47)
+2.6.17-edgy: released (2.6.17-10.31)
diff --git a/retired/CVE-2006-4145 b/retired/CVE-2006-4145
new file mode 100644
index 000000000..05fb39d27
--- /dev/null
+++ b/retired/CVE-2006-4145
@@ -0,0 +1,20 @@
+Candidate: CVE-2006-4145
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=7127be29378b1230eb8dd8b84f18d6b69c56e959
+Description: 
+ Fix possible UDF deadlock and memory corruption
+Ubuntu-Description:
+ The UDF file system does not handle extends larger than 1 GB, but did
+ not check for this restriction on truncating files. A local user
+ could exploit this to crash the kernel.
+Notes:
+ dannf> Submitted upstream on 2006.08.27
+Bugs: 
+upstream: released (2.6.17.10), released (2.6.18-rc5)
+linux-2.6: released (2.6.17-7)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [udf-deadlock.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge4) [231_udf-deadlock.diff]
+2.6.10-hoary-security: released (2.6.10-34.23)
+2.6.12-breezy-security: released (2.6.12-10.37)
+2.6.15-dapper-security: released (2.6.15-26.47)
+2.6.17-edgy: released (2.6.17-10.30)
diff --git a/retired/CVE-2006-4535 b/retired/CVE-2006-4535
new file mode 100644
index 000000000..b624c6648
--- /dev/null
+++ b/retired/CVE-2006-4535
@@ -0,0 +1,20 @@
+Candidate: CVE-2006-4535
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b9ac86727fc02cc7117ef3fe518a4d51cd573c82
+Description: 
+ fix for CVE-2006-3745 sctp fix from dave miller
+Ubuntu-Description:
+ Sridhar Samudrala discovered a local Denial of Service vulnerability
+ in the handling of SCTP sockets. By opening such a socket with a
+ special SO_LINGER value, a local attacker could exploit this to crash
+ the kernel.
+Notes: 
+Bugs: 
+upstream: released (2.6.18-rc6)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [sctp-priv-elevation-2.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge4) [228_sctp-priv-elevation-2.diff]
+2.6.10-hoary-security: released (2.6.10-34.24)
+2.6.12-breezy-security: released (2.6.12-10.40)
+2.6.15-dapper-security: released (2.6.15-27.48)
+2.6.17-edgy: released (2.6.17-10.31)
diff --git a/retired/CVE-2006-4538 b/retired/CVE-2006-4538
new file mode 100644
index 000000000..210f9fb8e
--- /dev/null
+++ b/retired/CVE-2006-4538
@@ -0,0 +1,24 @@
+Candidate: CVE-2006-4538
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3a459756810912d2c2bf188cef566af255936b4d
+ http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=8833ebaa3f4325820fe3338ccf6fae04f6669254
+Description: 
+ Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC
+ platforms, allows local users to cause a denial of service (crash) via
+ a malformed ELF file that triggers memory maps that cross region
+ boundaries.
+Ubuntu-Description:
+ Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
+ platforms did not sufficiently verify the memory layout. By
+ attempting to execute a specially crafted executable, a local user
+ could exploit this to crash the kernel.
+Notes: 
+Bugs: 
+upstream: released (2.6.18-rc7)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: released (2.6.8-16sarge6) [ia64-sparc-cross-region-mappings.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge5) [233_ia64-sparc-cross-region-mappings.diff]
+2.6.10-hoary-security: released (2.6.10-34.24)
+2.6.12-breezy-security: released (2.6.12-10.40)
+2.6.15-dapper-security: released (2.6.15-27.48)
+2.6.17-edgy: released (2.6.17-10.31)
diff --git a/retired/CVE-2006-4813 b/retired/CVE-2006-4813
new file mode 100644
index 000000000..6045237e9
--- /dev/null
+++ b/retired/CVE-2006-4813
@@ -0,0 +1,23 @@
+Candidate: CVE-2006-4813
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=152becd26e0563aefdbc4fd1fe491928efe92d1f
+Description: 
+ The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13
+ does not properly clear buffers during certain error conditions, which allows local
+ users to read portions of files that have been unlinked.
+Ubuntu-Description:
+ Dmitriy Monakhov discovered an information leak in the
+ __block_prepare_write() function. During error recovery, this
+ function did not properly clear memory buffers which could allow
+ local users to read portions of unlinked files.
+Notes: 
+ dannf> I don't think 2.4 is affected because the BH_New bit is not
+ dannf> cleared after get_block returns - marking 2.4.27 N/A
+Bugs: 
+upstream: released (2.6.13-rc1)
+linux-2.6: released (2.6.13-1)
+2.6.8-sarge-security: released (2.6.8-16sarge6) [__block_prepare_write-recovery.dpatch]
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (CVE-2006-4813)
+2.6.15-dapper-security: released
+2.6.17-edgy: released
diff --git a/retired/CVE-2006-4997 b/retired/CVE-2006-4997
new file mode 100644
index 000000000..cb7582f76
--- /dev/null
+++ b/retired/CVE-2006-4997
@@ -0,0 +1,19 @@
+Candidate: CVE-2006-4997
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fe26109a9dfd9327fdbe630fc819e1b7450986b2
+Description: 
+ IP over ATM clip_mkip dereference freed pointer
+Ubuntu-Description:
+ ADLab Venustech Info Ltd discovered that the ATM network driver
+ referenced an already released pointer in some circumstances. By
+ sending specially crafted packets to a host over ATM, a remote
+ attacker could exploit this to crash that host.
+Notes: 
+Bugs: 
+upstream: released (2.4.34-pre4, 2.6.18)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: released (2.6.8-16sarge6) [atm-clip-freed-skb-deref.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge5) [234_atm-clip-freed-skb-deref.diff]
+2.6.12-breezy-security: released (2.6.12-10.41)
+2.6.15-dapper-security: released (2.6.15-27.49)
+2.6.17-edgy: released (2.6.17-10.31)
diff --git a/retired/CVE-2006-5158 b/retired/CVE-2006-5158
new file mode 100644
index 000000000..7c3c692c8
--- /dev/null
+++ b/retired/CVE-2006-5158
@@ -0,0 +1,23 @@
+Candidate: CVE-2006-5158
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9b5b1f5bf9dcdb6f23abf65977a675eb4deba3c0
+Description: 
+ The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel
+ before 2.6.16 allows remote attackers to cause a denial of service
+ (process crash) and deny access to NFS exports via unspecified
+ vectors that trigger a kernel oops (null dereference) and a deadlock.
+Ubuntu-Description:
+ Matthias Andree discovered that the NFS locking management daemon
+ (lockd) did not correctly handle mixing of 'lock' and 'nolock' option
+ mounts on the same client. A remote attacker could exploit this to
+ crash lockd and thus rendering the NFS imports inaccessible.
+Notes: 
+ Bug introduced in 2.6.9, fixed in 2.6.15-rc6
+Bugs: 
+upstream: 
+linux-2.6:
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (2.6.12-10.41)
+2.6.15-dapper-security: N/A
+2.6.17-edgy: N/A
diff --git a/retired/CVE-2006-5173 b/retired/CVE-2006-5173
new file mode 100644
index 000000000..9f18d25ec
--- /dev/null
+++ b/retired/CVE-2006-5173
@@ -0,0 +1,26 @@
+Candidate: CVE-2006-5173
+References: 
+ http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=47a5c6fa0e204a2b63309c648bb2fde36836c826
+Description:
+ Alignment Check (AC) flag in EFLAGS is not saved/restored during task
+ switch, thus was leaking to other tasks. Those eventually died with a
+ SIGBUS.
+Ubuntu-Description:
+ The task switching code did not save and restore EFLAGS of processes.
+ By starting a specially crafted executable, a local attacker could
+ exploit this to eventually crash many other running processes.
+Notes: 
+ incorrect optimization in some later 2.6.x kernel, reverted
+ Local DoS.
+
+ Are we sure this affects 2.6.17 and before? The CFI_ADJUST_CFA_OFFSET
+ doesn't seem to be present in these kernels.
+Bugs: 
+upstream: released (2.6.18)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.10-hoary-security: N/A
+2.6.12-breezy-security: N/A
+2.6.15-dapper-security: released (2.6.15-27.49)
+2.6.17-edgy: released (2.6.17.1-10.34)
diff --git a/retired/CVE-2006-5174 b/retired/CVE-2006-5174
new file mode 100644
index 000000000..104818194
--- /dev/null
+++ b/retired/CVE-2006-5174
@@ -0,0 +1,22 @@
+Candidate: CVE-2006-5174 
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8
+Description: 
+ The copy_from_user function in the uaccess code in Linux kernel 2.6
+ before 2.6.19-rc1, when running on s390, does not properly clear a
+ kernel buffer, which allows local user space programs to read
+ portions of kernel memory by "appending to a file from a bad
+ address," which triggers a fault that prevents the unused memory from
+ being cleared in the kernel buffer. 
+Ubuntu-Description:
+Notes: 
+ jmm> Fix from 2.6.18-3 was reverted, caused problems
+Bugs: 
+upstream: released (2.6.18.1)
+linux-2.6: needed
+2.6.8-sarge-security: released (2.6.8-16sarge6) [s390-uaccess-memleak.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge5) [236_s390-uaccess-memleak.diff]
+2.6.10-hoary-security: ignored
+2.6.12-breezy-security: ignored
+2.6.15-dapper-security: ignored
+2.6.17-edgy: ignored
diff --git a/retired/CVE-2006-5648 b/retired/CVE-2006-5648
new file mode 100644
index 000000000..1c7760728
--- /dev/null
+++ b/retired/CVE-2006-5648
@@ -0,0 +1,28 @@
+Candidate: CVE-2006-5648
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=69588298188b40ed7f75c98a6fd328d82f23ca21
+Description: 
+ The sys_[gs]et_robust_list() syscalls were wired up on PowerPC but
+ didn't work correctly because futex_atomic_cmpxchg_inatomic() wasn't
+ implemented.  Implement it, based on __cmpxchg_u32().
+Ubuntu-Description:
+ Fabio Massimo Di Nitto discovered that the sys_get_robust_list and
+ sys_set_robust_list system calls lacked proper lock handling on the
+ powerpc platform. A local attacker could exploit this to create
+ unkillable processes, drain all available CPU/memory, and render the
+ machine unrebootable.
+Notes: 
+ http://ozlabs.org/pipermail/linuxppc-dev/2006-October/027338.html
+ dannf> Looks like sparc is also vulnerable in 2.6.18, see:
+        http://lists.debian.org/debian-kernel/2006/12/msg00787.html
+        But, as this is a powerpc specific CVE, I'll mark Debian as ok
+Bugs: 
+upstream: released (2.6.18)
+linux-2.6: released (2.6.18-1)
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: released (2.6.17.1-10.34)
+2.6.19-feisty: released
diff --git a/retired/CVE-2006-5649 b/retired/CVE-2006-5649
new file mode 100644
index 000000000..a89f6951c
--- /dev/null
+++ b/retired/CVE-2006-5649
@@ -0,0 +1,24 @@
+Candidate: CVE-2006-5649
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4393c4f6788cee65095dd838cfeca6edefbfeb52
+Description: 
+ The alignment exception used to only check the exception table for
+ -EFAULT, not for other errors. That opens an oops window if we can
+ coerce the kernel into getting an alignment exception for other
+ reasons in what would normally be a user-protected accessor, which
+ can be done via some of the futex ops. This fixes it by always
+ checking the exception tables.
+Ubuntu-Description:
+ Fabio Massimo Di Nitto discovered a flaw in the alignment check
+ exception handling on the powerpc platform. A local attacker could
+ exploit this to cause a kernel panic and crash the machine.
+Notes: 
+ http://ozlabs.org/pipermail/linuxppc-dev/2006-October/027338.html
+Bugs: 
+upstream: released (2.6.19-rc5), released (2.6.18.3)
+linux-2.6: released (2.6.18-4)
+2.6.8-sarge-security: released (2.6.8-16sarge6) [ppc-alignment-exception-table-check.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge5) [235_ppc-alignment-exception-table-check.diff]
+2.6.12-breezy-security: released (2.6.12-10.41)
+2.6.15-dapper-security: released (2.6.15-27.49)
+2.6.17-edgy-security: released (2.6.17.1-10.34)
diff --git a/retired/CVE-2006-5749 b/retired/CVE-2006-5749
new file mode 100644
index 000000000..0bfc2472f
--- /dev/null
+++ b/retired/CVE-2006-5749
@@ -0,0 +1,30 @@
+Candidate: CVE-2006-5749
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dab6df63086762629936e8b89a5984bae39724f6
+Description: 
+ The isdn_ppp_ccp_reset_alloc_state function in
+ drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4
+ does not call the init_timer function for the ISDN PPP CCP reset
+ state timer, which has unknown attack vectors and results in a system
+ crash.
+Ubuntu-Description: 
+ Al Viro reported that the ISDN PPP module did not initialize the
+ reset state timer. By sending specially crafted ISDN packets, a
+ remote attacker could exploit this to crash the kernel.
+Notes: 
+ dannf> According to Marcel Holtmann, 2.4 and 2.6 < 2.6.13 are not vulnerable.
+ dannf> Indeed, in 2.4.27 & 2.6.8, init_timer() just sets timer->base to NULL,
+ dannf> so the memset() is sufficient to avoid this crash.
+ dannf> However, in 2.6.8 init_timer() also sets a magic number. add_timer()
+ dannf> will call __mod_timer(), which calls check_timer(), which will cause
+ dannf> the kernel to whine if this magic number is not set. I don't think this
+ dannf> will cause a crash, so I'm considering a non-security issue
+Bugs: 
+upstream: released (2.6.20-rc5)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-10)
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/retired/CVE-2006-6304 b/retired/CVE-2006-6304
new file mode 100644
index 000000000..931f85755
--- /dev/null
+++ b/retired/CVE-2006-6304
@@ -0,0 +1,14 @@
+Candidate: CVE-2006-6304
+References: 
+Description: 
+Ubuntu-Description: 
+Notes: Only 2.6.19 affected
+Bugs: 
+upstream: 
+linux-2.6: 
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: N/A
-- 
cgit v1.2.3