------------------------------------------------------------------- Fri Oct 16 11:04:23 CEST 2015 - mbenes@suse.cz - Bump up the version number in spec file - commit 75ee48f ------------------------------------------------------------------- Fri Oct 9 16:27:11 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-7613 (Unauthorized access to IPC objects with SysV shm) Live patch for CVE-2015-7613. Upstream commits e8577d1f0329 ("ipc/sem.c: fully initialize sem_array before making it visible") and b9a532277938 ("Initialize msg/shm IPC objects before doing ipc_addid()"). Fixes: CVE-2015-7613 References: bsc#948701 CVE-2015-7613 - commit 7ded504 ------------------------------------------------------------------- Tue Sep 1 13:00:23 CEST 2015 - mmarek@suse.com - Include the RPM version number in the module name - commit 8fa02c6 ------------------------------------------------------------------- Thu Aug 27 18:08:41 CEST 2015 - mbenes@suse.cz - bsc#940342: Remove a dependency on scsi_mod module Current implementation makes the kgraft module dependable on scsi_mod module. This is because a patched function from sg module calls exported functions from scsi_mod. We inherit this dependency. Since it is unwanted treat all such exported symbols as non-exported (look them up in kallsyms). - commit 478e009 ------------------------------------------------------------------- Wed Aug 26 18:52:30 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-5707 (Integer overflow in SCSI generic driver) Live patch for CVE-2015-5707. Upstream commit 451a2886b6bf ("sg_start_req(): make sure that there's not too many elements in iovec"). Fixes: CVE-2015-5707 References: bsc#940342 CVE-2015-5707 - commit aeb5637 ------------------------------------------------------------------- Wed Aug 26 11:29:44 CEST 2015 - mbenes@suse.cz - Remove forgotten debug option in the Makefile - commit 9c24ab8 ------------------------------------------------------------------- Tue Aug 18 16:00:35 CEST 2015 - mbenes@suse.cz - bsc#939276: Minor fix in copyright notice - commit 1dfa48b ------------------------------------------------------------------- Tue Aug 18 14:34:02 CEST 2015 - mbenes@suse.cz - bsc#939277: Add copyright notice - commit 38ec750 ------------------------------------------------------------------- Tue Aug 18 14:32:30 CEST 2015 - mbenes@suse.cz - bsc#939276: Add copyright notice - commit 0bf04b0 ------------------------------------------------------------------- Tue Aug 18 14:29:26 CEST 2015 - mbenes@suse.cz - bsc#939273: Add copyright notice - commit 6ec78f8 ------------------------------------------------------------------- Tue Aug 18 14:28:48 CEST 2015 - mbenes@suse.cz - bsc#939270: Add copyright notice - commit a3150c0 ------------------------------------------------------------------- Tue Aug 18 14:28:08 CEST 2015 - mbenes@suse.cz - bsc#939263: Add copyright notice - commit a845fbc ------------------------------------------------------------------- Tue Aug 18 14:24:01 CEST 2015 - mbenes@suse.cz - bsc#939262: Add copyright notice - commit e3d9677 ------------------------------------------------------------------- Tue Aug 18 14:20:00 CEST 2015 - mbenes@suse.cz - bsc#939241: Add copyright notice - commit efb51c9 ------------------------------------------------------------------- Mon Aug 17 13:42:04 CEST 2015 - mbenes@suse.cz - Add license and copyright notices - commit d42d3aa ------------------------------------------------------------------- Fri Aug 14 11:25:29 CEST 2015 - mbenes@suse.cz - bsc#939262: The patch is x86-specific. Make it so in the code. This amends the build on other architectures. - commit 88d15fe ------------------------------------------------------------------- Thu Aug 13 15:28:56 CEST 2015 - mbenes@suse.cz - bsc#939273: The patch is x86-specific. Make it so in the code. This amends the build on other architectures. - commit 432cd57 ------------------------------------------------------------------- Thu Aug 13 14:15:27 CEST 2015 - mbenes@suse.cz - bsc#939263: Fix build on s390x due to some differences in header files - commit 1a7eafd ------------------------------------------------------------------- Wed Aug 12 14:13:16 CEST 2015 - mbenes@suse.cz - Bump the version number in spec file - commit fe16231 ------------------------------------------------------------------- Wed Aug 12 14:12:41 CEST 2015 - mbenes@suse.cz - Revert "Remove immediate flag" This reverts commit c767ad22eb4ea4ac389c15de090e8643a0b85722. - commit 835e998 ------------------------------------------------------------------- Tue Aug 11 11:48:35 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-3339 (race condition between chown() and execve()) Live patch for CVE-2015-3339. Upstream commit 8b01fc86b9f4 ("fs: take i_mutex during prepare_binprm for set[ug]id executables"). References: bsc#939263 bsc#939044 CVE-2015-3339 - commit cc0e395 ------------------------------------------------------------------- Fri Aug 7 16:05:12 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-3636 (ping sockets: use-after-free leading to local privilege escalation) Live patch for CVE-2015-3636. Upstream commit a134f083e79f ("ipv4: Missing sk_nulls_node_init() in ping_unhash()."). References: bsc#939277 CVE-2015-3636 - commit 84928ed ------------------------------------------------------------------- Thu Aug 6 17:37:28 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-5364 and CVE-2015-5366 (net: remote DoS via flood of UDP packets with invalid checksums) Live patch for CVE-2015-5364 and CVE-2015-5366. Upstream commit beb39db59d14 ("udp: fix behavior of wrong checksums"). References: bsc#939276 CVE-2015-5364 CVE-2015-5366 - commit 690ca21 ------------------------------------------------------------------- Wed Aug 5 18:46:32 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-1805 (pipe: iovec overrun leading to memory corruption) Live patch for CVE-2015-1805. The issue was fixed in the upstream by commits f0d1bec9d58d ("new helper: copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to copy_page_to_iter()"). There are not suitable for a patch though, so stable commit e3d4ed26cd9d ("pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic") (see expanded tree) from 3.12.45 was used. References: bsc#939270 CVE-2015-1805 - commit 37429cf ------------------------------------------------------------------- Wed Aug 5 13:25:30 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-4700 (bpf jit optimization flaw can panic kernel) Live patch for CVE-2015-4700. Upstream commit 3f7352bf21f8 ("x86: bpf_jit: fix compilation of large bpf programs"). References: bsc#939273 CVE-2015-4700 - commit a53b0e7 ------------------------------------------------------------------- Thu Jul 23 16:17:05 CEST 2015 - mbenes@suse.cz - Fix for CVE-2015-3331 (kernel: Buffer overruns in Linux kernel RFC4106 implementation using AESNI) Live patch for CVE-2015-3331. Upstream commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in GCM decryption"). References: bsc#939262 CVE-2015-3331 - commit 5bdfe79 ------------------------------------------------------------------- Thu Jul 23 13:55:19 CEST 2015 - mbenes@suse.cz - Fix for CVE-2014-8159 (kernel: Mellanox security issue) Live patch for CVE-2014-8159. Upstream commits 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get address arithmetic"), 8abaae62f3fd ("IB/core: disallow registering 0-sized memory region") and 66578b0b2f69 ("IB/core: don't disallow registering region starting at 0x0"). References: bsc#939241 CVE-2014-8159 - commit 4261ef5 ------------------------------------------------------------------- Wed Jul 15 15:58:35 CEST 2015 - mbenes@suse.cz - Remove immediate flag Fake signal was merged to kGraft and immediate feature removed. Remove it in kGraft patches from now on too. - commit c767ad2 ------------------------------------------------------------------- Wed May 20 16:32:17 CEST 2015 - mbenes@suse.cz - Set immediate flag to false Using immediate set to true can lead to BUGs and oopses when downgrading, reverting or applying replace_all patches. There is no way how to find out if there is a process in the old code which is being removed. The module would be put, removed and the process will crash. The consistency model guarantees that there is no one in the old code when the finalization ends. Thus use it for all case to be safe. - commit 830e1a3 ------------------------------------------------------------------- Tue May 12 15:48:07 CEST 2015 - mbenes@suse.cz - Fix description in rpm spec file Spec file description mentions initial kGraft patch which is only true for real initial patch. Make it more neutral. References: bsc#930408 - commit a55e023 ------------------------------------------------------------------- Wed Apr 1 15:36:24 CEST 2015 - mbenes@suse.cz - Generate archives names automatically in tar-up.sh - commit 1f34f18 ------------------------------------------------------------------- Wed Apr 1 13:39:26 CEST 2015 - mbenes@suse.cz - Automatically generate .changes file from git log Also add comments to tar-up.sh script to distinguish between sections. - commit 212a7ae ------------------------------------------------------------------- Fri Mar 27 11:06:34 CET 2015 - mbenes@suse.cz - Update IBS_PROJECT to correct maintenance incident after initial submission - commit e184cef ------------------------------------------------------------------- Thu Mar 26 14:24:21 CET 2015 - mmarek@suse.cz - Revert "Require exact kernel version in the patch" This needs to be done differently, so that modprobe --force works as expected. References: bnc#920615 This reverts commit c62c11aecd4e3f8822e1b835fea403acc3148c5a. - commit bc88dd7 ------------------------------------------------------------------- Wed Mar 25 14:39:07 CET 2015 - mbenes@suse.cz - New branch for SLE12_Update_4 - commit 5d1cc76 ------------------------------------------------------------------- Wed Mar 25 13:10:24 CET 2015 - mmarek@suse.cz - Require exact kernel version in the patch References: bnc#920615 - commit c62c11a ------------------------------------------------------------------- Tue Mar 24 12:15:41 CET 2015 - mmarek@suse.cz - Add the git commit and branch to the package description References: bnc#920633 - commit 1ff4e48 ------------------------------------------------------------------- Wed Nov 26 10:09:14 CET 2014 - mbenes@suse.cz - Set immediate flag for the initial patch Setting immediate to true will simplify installation of the initial patch and possibly also of the further updates. References: bnc#907150 - commit 391b810 ------------------------------------------------------------------- Tue Nov 25 16:26:40 CET 2014 - mbenes@suse.cz - Add .replace_all set to true Add .replace_all flag set to true even to the initial patch. Thus we will not forget to add that later. Also .immediate is there as a comment. - commit 933e15e ------------------------------------------------------------------- Mon Nov 24 15:02:33 CET 2014 - mmarek@suse.cz - Drop the hardcoded kernel release string The updated kgraft-devel macros set this during build time, so we do not need to know the kernel release string beforehand. As a name suffix for the source packages, let's use SLE12_Test in the master branch and SLE12_Update_ in the update branches. - commit 65f7a25 ------------------------------------------------------------------- Fri Nov 21 15:48:48 CET 2014 - mmarek@suse.cz - Check that we are building against the set kernel version - commit 689e44a ------------------------------------------------------------------- Wed Nov 12 04:11:14 CET 2014 - mmarek@suse.cz - Mark the module as supported References: bnc#904970 - commit 6249314 ------------------------------------------------------------------- Tue Nov 11 17:11:28 CET 2014 - mmarek@suse.cz - Build the test packages against Devel:kGraft:SLE12 - commit c952fbb ------------------------------------------------------------------- Thu Nov 6 13:55:43 CET 2014 - mbenes@suse.cz - Add top git commit hash to uname -v Add top git commit hash to version part of uname. This makes the identification of current patch level easy (even in crash: p kgr_tag). References: fate#317769 - commit 54c9595 ------------------------------------------------------------------- Tue Nov 4 16:23:50 CET 2014 - mbenes@suse.cz - Replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ We need to replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ due to sysfs tree. @@RELEASE@@ changes with each new version of package. - commit 51fd9dd ------------------------------------------------------------------- Mon Nov 3 17:27:24 CET 2014 - mmarek@suse.cz - Add a source-timestamp file with the git commit hash and branch This is required by the bs-upload-kernel script to upload packages to the BS. It can also be used by the specfile in the future. - commit feab4f1 ------------------------------------------------------------------- Mon Nov 3 16:56:31 CET 2014 - mbenes@suse.cz - Initial commit - commit 600de9d ------------------------------------------------------------------- Mon Nov 3 14:59:46 CET 2014 - mmarek@suse.cz - Add config.sh script This tells the automatic builder which IBS project to use. - commit aa7f1cb