CAN-2004-1335 : Linux kernel patch for the open source 2.4.28

kingkhan2006 · 01-23-2006, 11:50 AM

Hello all ,

I work for a security company that uses the open source linux kernel
2.4.28 on our embedded appliance .
In an effort to fix all open security vulnerabilitied , we decided to
have it patched.I had a couple of questions in this regard.

1] The fix for the CVE-2004-1016 and CAN-2004-1335 has been done in 2.4.29 ,we do not
intend to move to this version . How and where do i get the patch for
2.4.28 version ?

2] The reference to this vulnerability has patches for 2.4.28 but
only through vendors like redhat and suse (I have to pay to get the
patch i believe ) , but is there a site that has all the security
patches[2.4.28] for open source users like us.

3] Going forward if there is a patch that is posted on a X, Y Z site
, how do i rely on it not to have GPL and trojans issues in patches
?

I do not know if this is a forum for these question , but please take
time to address this problem of ours.

Please cc your reply to kingkhan@gmail.com

Regards
king khan

tkedwards · 01-24-2006, 09:42 PM

Quote:

How and where do i get the patch for
2.4.28 version ?

There is no patch for 2.4.28 specifically - the patch for that vuln. is part of the changes between 2.4.28 and 2.4.29.

Quote:

2] The reference to this vulnerability has patches for 2.4.28 but
only through vendors like redhat and suse (I have to pay to get the
patch i believe )

Most distro vendors backport security/bug fixes into the earlier versions of their kernels that they release. They do this for the same reason you want - they want to keep to the same kernel version for stability reasons. Redhat releases the source packages for all their stuff on their public FTP stuff (its GPL software after all) and you can get it indirectly in both source and binary form through Redhat-rebuild distros like Centos. There are also plenty of other distros out there (Mandriva, Debian, Gentoo etc.) which might have examples of a 2.4.28 kernel with the latest patches backported.

You might not want to use one of these kernels directly as you probably have only specific options enabled on your kernel if its an embedded appliance - most distros compile almost everything into their kernels.

Quote:

3] Going forward if there is a patch that is posted on a X, Y Z site
, how do i rely on it not to have GPL and trojans issues in patches

Check the MD5 or Sha1 sum against that listed on the kernel.org site. If its a patch that's not an official part of the kernel (ie. its some 3rd party thing) then you should read the changes the patch makes yourself and decide if its trojaned or not or decide how much you trust the person who wrote the patch. The Linux kernel will always be GPL.

Quote:

Please cc your reply to kingkhan@gmail.com

In your user options on this site there's an option to send an email notification when someone posts a reply.

win32sux · 01-29-2006, 05:31 PM

Quote:

The 2.4-hf kernel tree which only contains hotfixes for 2.4 mainline kernels. These are intended for people who cannot upgrade for various reasons, and who still need to apply a security or stability fix.

http://linux.exosec.net/kernel/2.4-hf/

they've actually just added support for the 2.4.28 kernel!!!