------------------------------------------------------------------- Thu Feb 2 11:13:36 CET 2017 - mbenes@suse.cz - Bump up the version number in spec file - commit 0f3de7e ------------------------------------------------------------------- Wed Feb 1 15:36:36 CET 2017 - mbenes@suse.cz - bsc#1004419: fix the loading problem on XEN kGraft patches for bsc#1004419 are broken for XEN arch. The modules cannot be loaded and kGraft reports "symbol follow_trans_huge_pmd() not resolved". The mentioned function comes from mm/huge_memory.c which is built only when CONFIG_TRANSPARENT_HUGEPAGES is set. This is not the case of XEN. The problem is that there is only one definition of the function. The only callsite is in follow_page_mask() which is built for XEN. The whole kernel builds successfully because GCC compiler is satisfied with a declaration of the function in include/linux/huge_mm.h. Then dead code elimination is applied and the only callsite is removed for XEN. Linked of course finds no problem afterwards. Move kallsyms lookup for follow_trans_huge_pmd() to !xen section and rely on a dead code elimination too. References: bsc#1023031 - commit 9ce989f ------------------------------------------------------------------- Fri Dec 30 15:28:38 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-9806 (double free in netlink_dump) Live patch for CVE-2016-9806. Upstream commit 92964c79b357 ("netlink: Fix dump skb leak/double free"). Fixes: CVE-2016-9806 References: bsc#1017589 CVE-2016-9806 - commit 7d09b50 ------------------------------------------------------------------- Fri Dec 30 12:49:29 CET 2016 - mbenes@suse.cz - Bump up the version number in spec file - commit 0054198 ------------------------------------------------------------------- Thu Dec 22 17:15:25 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-9794 (ALSA: use-after-free in,kill_fasync) Live patch for CVE-2016-9794. Upstream commit 3aa02cb664c5 ("ALSA: pcm : Call kill_fasync() in stream lock"). Fixes: CVE-2016-9794 References: bsc#1013543 CVE-2016-9794 - commit fbd84a7 ------------------------------------------------------------------- Tue Dec 20 14:51:09 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-8632 (tipc: tipc_msg_build() doesn't validate MTU) Live patch for CVE-2016-8632. Upstream commit 3de81b758853 ("tipc: check minimum bearer MTU"). Fixes: CVE-2016-8632 References: bsc#1012852 CVE-2016-8632 - commit e4c637f ------------------------------------------------------------------- Tue Dec 13 14:47:06 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-9576 (Use-after-free in SCSI Generic driver) Live patch for CVE-2016-9576. Based on SLE12(-SP1) commit b3017e878b1b ("splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE (CVE-2016-9576, bsc#1013604)."). Fixes: CVE-2016-9576 References: bsc#1014271 CVE-2016-9576 - commit debf04f ------------------------------------------------------------------- Tue Dec 6 12:00:13 CET 2016 - mbenes@suse.cz - Bump up the version number in spec file - commit b001fe9 ------------------------------------------------------------------- Mon Dec 5 11:27:12 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-8655 (Local root privilege packet_set_ring/timer_list) Live patch for CVE-2016-8655. Upstream commit 84ac7260236a ("packet: fix race condition in packet_set_ring"). Fixes: CVE-2016-8655 References: bsc#1012759 CVE-2016-8655 - commit 554f05e ------------------------------------------------------------------- Mon Nov 28 15:40:04 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-9555 (net/sctp: slab-out-of-bounds in sctp_sf_ootb) Live patch for CVE-2016-9555. Upstream commit bf911e985d6b ("sctp: validate chunk len before actually using it"). Fixes: CVE-2016-9555 References: bsc#1012183 CVE-2016-9555 - commit 74dfd73 ------------------------------------------------------------------- Wed Nov 9 10:49:05 CET 2016 - mbenes@suse.cz - Fix for CVE-2016-7117 (use after free in the recvmmsg exit path) Live patch for CVE-2016-7117. Upstream commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"). Fixes: CVE-2016-7117 References: bsc#1003253 CVE-2016-7117 - commit 46f7a3d ------------------------------------------------------------------- Mon Oct 24 13:26:09 CEST 2016 - mbenes@suse.cz - Better to use SUSE:SLE-12:Update than Devel:kGraft:SLE12 project - commit bdc7598 ------------------------------------------------------------------- Fri Oct 21 13:15:50 CEST 2016 - mbenes@suse.cz - Bump up the version number in spec file - commit 154c54e ------------------------------------------------------------------- Thu Oct 20 11:23:09 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-5195 (mm: local privilege escalation using MAP_PRIVATE) Live patch for CVE-2016-5195. Upstream commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from __get_user_pages()"). Fixes: CVE-2016-5195 References: bsc#1004419 CVE-2016-5195 - commit ed4e33f ------------------------------------------------------------------- Mon Jul 25 10:59:24 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-4997 (netfilter: Linux local privilege escalation in compat_setsockopt) Live patch for CVE-2016-4997. Upstream commit ce683e5f9d04 ("netfilter: x_tables: check for bogus target offset") and more. Fixes: CVE-2016-4997 References: bsc#986377 CVE-2016-4997 - commit cda9913 ------------------------------------------------------------------- Wed Jul 13 10:21:02 CEST 2016 - mbenes@suse.cz - Bump up the version number in spec file - commit 8b7f6fd ------------------------------------------------------------------- Thu Jun 30 16:37:47 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-4470 (Uninitialized variable in request_key handling) Live patch for CVE-2016-4470. Upstream commit 38327424b40b ("KEYS: potential uninitialized variable"). Fixes: CVE-2016-4470 References: bsc#984764 CVE-2016-4470 - commit 3d2806b ------------------------------------------------------------------- Fri Jun 17 16:37:47 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-1583 (ecryptfs: stack overflow in ecryptfs with /proc/pid/environ could lead to root) Live patch for CVE-2016-1583. SLE12 commit 754f7d2e4ad5 ("ecryptfs: don't allow mmap when the lower file system doesn't allow it (bsc#983143 CVE-2016-1583).") Fixes: CVE-2016-1583 References: bsc#983144 CVE-2016-1583 - commit 818ce89 ------------------------------------------------------------------- Wed Jun 1 14:23:47 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-4565 (infiniband: Using write() instead of bi-directional ioctl() allows writing into user specified kernel memory) Live patch for CVE-2016-4565. Upstream commit e6bd18f57aad ("IB/security: Restrict use of the write() interface"). Fixes: CVE-2016-4565 References: bsc#980883 CVE-2016-4565 - commit e393681 ------------------------------------------------------------------- Wed May 25 11:21:25 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-0758 (tags with indefinite length can corrupt pointers in asn1_find_indefinite_length()) Live patch for CVE-2016-0758. Upstream commit 23c8a812dc3c ("KEYS: Fix ASN.1 indefinite length object parsing"). Fixes: CVE-2016-0758 References: bsc#980856 CVE-2016-0758 - commit a124d8f ------------------------------------------------------------------- Wed May 18 13:46:40 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-2053 (KEYS: Kernel panic and system lockup by triggering BUG_ON() in public_key_verify_signature()) Live patch for CVE-2016-2053. Upstream commit 0d62e9dd6da4 ("ASN.1: Fix non-match detection failure on data overrun"). Fixes: CVE-2016-2053 References: bsc#979074 CVE-2016-2053 - commit 4552bb3 ------------------------------------------------------------------- Thu May 12 11:25:04 CEST 2016 - mbenes@suse.cz - Fix for CVE-2015-8816 (USB: fix invalid memory access in hub_activate()) Live patch for CVE-2015-8816. Upstream commit e50293ef9775 ("USB: fix invalid memory access in hub_activate()"). Fixes: CVE-2015-8816 References: bsc#979064 CVE-2015-8816 - commit c8fea92 ------------------------------------------------------------------- Tue May 10 18:41:10 CEST 2016 - mbenes@suse.cz - Convert all KGR_PATCH macro calls to a new API - commit ea18d49 ------------------------------------------------------------------- Tue May 10 18:36:34 CEST 2016 - mbenes@suse.cz - Convert all KGR_PATCH macro calls to a new API - commit 6553fcc ------------------------------------------------------------------- Tue May 10 15:43:59 CEST 2016 - mbenes@suse.cz - Add compat.h to deal with changes of KGR_PATCH macro Sympos patch set for kGraft redefined KGR_PATCH macro and added two new ones. Add new compat.h which contains macro magic so that all kGraft patches would work on both old and new kernels with the patch set merged. - commit 4186bef ------------------------------------------------------------------- Fri May 6 17:01:17 CEST 2016 - mbenes@suse.cz - Fix the number of parameters of KGR_PATCH macro New kernels contain kGraft's sympos patch set which changed number of paramaters of KGR_PATCH macro and introduced new macros. Fix it in master so it will be ok for new branches. - commit 78cf676 ------------------------------------------------------------------- Mon Apr 25 17:12:28 CEST 2016 - mbenes@suse.cz - Fix for CVE-2016-3134 (netfilter: missing bounds check in ipt_entry structure) Live patch for CVE-2016-3134. Upstream commits bdf533de6968 ("netfilter: x_tables: validate e->target_offset early"), 6e94e0cfb088 ("netfilter: x_tables: make sure e->next_offset covers remaining blob size") and 54d83fc74aa9 ("netfilter: x_tables: fix unconditional helper"). Fixes: CVE-2016-3134 References: bsc#971793 CVE-2016-3134 - commit f1575b5 ------------------------------------------------------------------- Thu Apr 7 11:29:54 CEST 2016 - mbenes@suse.cz - Fix for bsc#973570 (samba: smbd locks up the kernel) Live patch for bsc#973570. Fix for CVE-2013-7446 introduced a bug possibly leading to a softlockup. Upstream commit a5527dda344f ("af_unix: Guard against other == sk in unix_dgram_sendmsg"). Fixes: bsc#973570 References: bsc#973570 bsc#955837 CVE-2013-7446 - commit badea91 ------------------------------------------------------------------- Fri Mar 4 09:44:52 CET 2016 - mbenes@suse.cz - Update IBS_PROJECT to correct maintenance incident after initial submission - commit 2a435bc ------------------------------------------------------------------- Tue Mar 1 10:17:04 CET 2016 - mbenes@suse.cz - New branch for SLE12_Update_12 - commit 4272f59 ------------------------------------------------------------------- Tue Sep 1 13:00:23 CEST 2015 - mmarek@suse.com - Include the RPM version number in the module name - commit 8fa02c6 ------------------------------------------------------------------- Wed Aug 26 11:29:44 CEST 2015 - mbenes@suse.cz - Remove forgotten debug option in the Makefile - commit 9c24ab8 ------------------------------------------------------------------- Mon Aug 17 13:42:04 CEST 2015 - mbenes@suse.cz - Add license and copyright notices - commit d42d3aa ------------------------------------------------------------------- Wed Jul 15 15:58:35 CEST 2015 - mbenes@suse.cz - Remove immediate flag Fake signal was merged to kGraft and immediate feature removed. Remove it in kGraft patches from now on too. - commit c767ad2 ------------------------------------------------------------------- Wed May 20 16:32:17 CEST 2015 - mbenes@suse.cz - Set immediate flag to false Using immediate set to true can lead to BUGs and oopses when downgrading, reverting or applying replace_all patches. There is no way how to find out if there is a process in the old code which is being removed. The module would be put, removed and the process will crash. The consistency model guarantees that there is no one in the old code when the finalization ends. Thus use it for all case to be safe. - commit 830e1a3 ------------------------------------------------------------------- Tue May 12 15:48:07 CEST 2015 - mbenes@suse.cz - Fix description in rpm spec file Spec file description mentions initial kGraft patch which is only true for real initial patch. Make it more neutral. References: bsc#930408 - commit a55e023 ------------------------------------------------------------------- Wed Apr 1 15:36:24 CEST 2015 - mbenes@suse.cz - Generate archives names automatically in tar-up.sh - commit 1f34f18 ------------------------------------------------------------------- Wed Apr 1 13:39:26 CEST 2015 - mbenes@suse.cz - Automatically generate .changes file from git log Also add comments to tar-up.sh script to distinguish between sections. - commit 212a7ae ------------------------------------------------------------------- Thu Mar 26 14:24:21 CET 2015 - mmarek@suse.cz - Revert "Require exact kernel version in the patch" This needs to be done differently, so that modprobe --force works as expected. References: bnc#920615 This reverts commit c62c11aecd4e3f8822e1b835fea403acc3148c5a. - commit bc88dd7 ------------------------------------------------------------------- Wed Mar 25 13:10:24 CET 2015 - mmarek@suse.cz - Require exact kernel version in the patch References: bnc#920615 - commit c62c11a ------------------------------------------------------------------- Tue Mar 24 12:15:41 CET 2015 - mmarek@suse.cz - Add the git commit and branch to the package description References: bnc#920633 - commit 1ff4e48 ------------------------------------------------------------------- Wed Nov 26 10:09:14 CET 2014 - mbenes@suse.cz - Set immediate flag for the initial patch Setting immediate to true will simplify installation of the initial patch and possibly also of the further updates. References: bnc#907150 - commit 391b810 ------------------------------------------------------------------- Tue Nov 25 16:26:40 CET 2014 - mbenes@suse.cz - Add .replace_all set to true Add .replace_all flag set to true even to the initial patch. Thus we will not forget to add that later. Also .immediate is there as a comment. - commit 933e15e ------------------------------------------------------------------- Mon Nov 24 15:02:33 CET 2014 - mmarek@suse.cz - Drop the hardcoded kernel release string The updated kgraft-devel macros set this during build time, so we do not need to know the kernel release string beforehand. As a name suffix for the source packages, let's use SLE12_Test in the master branch and SLE12_Update_ in the update branches. - commit 65f7a25 ------------------------------------------------------------------- Fri Nov 21 15:48:48 CET 2014 - mmarek@suse.cz - Check that we are building against the set kernel version - commit 689e44a ------------------------------------------------------------------- Wed Nov 12 04:11:14 CET 2014 - mmarek@suse.cz - Mark the module as supported References: bnc#904970 - commit 6249314 ------------------------------------------------------------------- Tue Nov 11 17:11:28 CET 2014 - mmarek@suse.cz - Build the test packages against Devel:kGraft:SLE12 - commit c952fbb ------------------------------------------------------------------- Thu Nov 6 13:55:43 CET 2014 - mbenes@suse.cz - Add top git commit hash to uname -v Add top git commit hash to version part of uname. This makes the identification of current patch level easy (even in crash: p kgr_tag). References: fate#317769 - commit 54c9595 ------------------------------------------------------------------- Tue Nov 4 16:23:50 CET 2014 - mbenes@suse.cz - Replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ We need to replace @@RELEASE@@ in kgr_patch->name with @@RPMRELEASE@@ due to sysfs tree. @@RELEASE@@ changes with each new version of package. - commit 51fd9dd ------------------------------------------------------------------- Mon Nov 3 17:27:24 CET 2014 - mmarek@suse.cz - Add a source-timestamp file with the git commit hash and branch This is required by the bs-upload-kernel script to upload packages to the BS. It can also be used by the specfile in the future. - commit feab4f1 ------------------------------------------------------------------- Mon Nov 3 16:56:31 CET 2014 - mbenes@suse.cz - Initial commit - commit 600de9d ------------------------------------------------------------------- Mon Nov 3 14:59:46 CET 2014 - mmarek@suse.cz - Add config.sh script This tells the automatic builder which IBS project to use. - commit aa7f1cb