This bug was fixed in the package linux - 2.6.24-23.46 --------------- linux (2.6.24-23.46) hardy-proposed; urgency=low [Alessio Igor Bogani] * rt: Updated PREEMPT_RT support to rt21 - LP: #302138 [Amit Kucheria] * SAUCE: Update lpia patches from moblin tree - LP: #291457 [Andy Whitcroft] * SAUCE: replace gfs2_bitfit with upstream version to prevent oops - LP: #276641 [Colin Ian King] * isdn: Do not validate ISDN net device address prior to interface-up - LP: #237306 * hwmon: (coretemp) Add Penryn CPU to coretemp - LP: #235119 * USB: add support for Motorola ROKR Z6 cellphone in mass storage mode - LP: #263217 * md: fix an occasional deadlock in raid5 - LP: #208551 [Stefan Bader] * SAUCE: buildenv: Show CVE entries in printchanges * SAUCE: buildenv: Send git-ubuntu-log informational message to stderr * Xen: dma: avoid unnecessarily SWIOTLB bounce buffering - LP: #247148 * Update openvz patchset to apply to latest stable tree. - LP: #301634 * XEN: Fix FTBS with stable updates - LP: #301634 [Steve Conklin] * Add HID quirk for dual USB gamepad - LP: #140608 [Tim Gardner] * Enable CONFIG_AX25_DAMA_SLAVE=y - LP: #257684 * SAUCE: Correctly blacklist Thinkpad r40e in ACPI - LP: #278794 * SAUCE: ALPS touchpad for Dell Latitude E6500/E6400 - LP: #270643 [Upstream Kernel Changes] * Revert "[Bluetooth] Eliminate checks for impossible conditions in IRQ handler" - LP: #217659 * KVM: VMX: Clear CR4.VMXE in hardware_disable - LP: #268981 * iov_iter_advance() fix - LP: #231746 * Fix off-by-one error in iov_iter_advance() - LP: #231746 * USB: serial: ch341: New VID/PID for CH341 USB-serial - LP: #272485 * x86: Fix 32-bit x86 MSI-X allocation leakage - LP: #273103 * b43legacy: Fix failure in rate-adjustment mechanism - LP: #273143 * x86: Reserve FIRST_DEVICE_VECTOR in used_vectors bitmap. - LP: #276334 * openvz: merge missed fixes from vanilla 2.6.24 openvz branch - LP: #298059 * openvz: some autofs related fixes - LP: #298059 * openvz: fix ve stop deadlock after nfs connect - LP: #298059 * openvz: fix netlink and rtnl inside container - LP: #298059 * openvz: fix wrong size of ub0_percpu - LP: #298059 * openvz: fix OOPS while stopping VE started before binfmt_misc.ko loaded - LP: #298059 * x86-64: Fix "bytes left to copy" return value for copy_from_user() * NET: Fix race in dev_close(). (Bug 9750) - LP: #301608 * IPV6: Fix IPsec datagram fragmentation - LP: #301608 * IPV6: dst_entry leak in ip4ip6_err. - LP: #301608 * IPV4: Remove IP_TOS setting privilege checks. - LP: #301608 * IPCONFIG: The kernel gets no IP from some DHCP servers - LP: #301608 * IPCOMP: Disable BH on output when using shared tfm - LP: #301608 * IRQ_NOPROBE helper functions - LP: #301608 * MIPS: Mark all but i8259 interrupts as no-probe. - LP: #301608 * ub: fix up the conversion to sg_init_table() - LP: #301608 * x86: adjust enable_NMI_through_LVT0() - LP: #301608 * SCSI ips: handle scsi_add_host() failure, and other err cleanups - LP: #301608 * CRYPTO xcbc: Fix crash with IPsec - LP: #301608 * CRYPTO xts: Use proper alignment - LP: #301608 * SCSI ips: fix data buffer accessors conversion bug - LP: #301608 * SCSI aic94xx: fix REQ_TASK_ABORT and REQ_DEVICE_RESET - LP: #301608 * x86: replace LOCK_PREFIX in futex.h - LP: #301608 * ARM pxa: fix clock lookup to find specific device clocks - LP: #301608 * futex: fix init order - LP: #301608 * futex: runtime enable pi and robust functionality - LP: #301608 * file capabilities: simplify signal check - LP: #301608 * hugetlb: ensure we do not reference a surplus page after handing it to buddy - LP: #301608 * ufs: fix parenthesisation in ufs_set_fs_state() - LP: #301608 * spi: pxa2xx_spi clock polarity fix - LP: #301608 * NETFILTER: Fix incorrect use of skb_make_writable - LP: #301608 * NETFILTER: fix ebtable targets return - LP: #301608 * SCSI advansys: fix overrun_buf aligned bug - LP: #301608 * pata_hpt*, pata_serverworks: fix UDMA masking - LP: #301608 * moduleparam: fix alpha, ia64 and ppc64 compile failures - LP: #301608 * PCI x86: always use conf1 to access config space below 256 bytes - LP: #301608 * e1000e: Fix CRC stripping in hardware context bug - LP: #301608 * atmel_spi: fix clock polarity - LP: #301608 * x86: move out tick_nohz_stop_sched_tick() call from the loop - LP: #301608 * macb: Fix speed setting - LP: #301608 * ioat: fix 'ack' handling, driver must ensure that 'ack' is zero - LP: #301608 * VT notifier fix for VT switch - LP: #301608 * USB: ftdi_sio: Workaround for broken Matrix Orbital serial port - LP: #301608 * USB: ftdi_sio - really enable EM1010PC - LP: #301608 * SCSI: fix BUG when sum(scatterlist) > bufflen - LP: #301608 * x86: don't use P6_NOPs if compiling with CONFIG_X86_GENERIC - LP: #301608 * Fix default compose table initialization - LP: #301608 * SCSI: gdth: bugfix for the at-exit problems - LP: #301608 * sched: fix race in schedule() - LP: #301608 * nfsd: fix oops on access from high-numbered ports - LP: #301608 * sched_nr_migrate wrong mode bits - LP: #301608 * NETFILTER: xt_time: fix failure to match on Sundays - LP: #301608 * NETFILTER: nfnetlink_queue: fix computation of allocated size for netlink skb - LP: #301608 * NETFILTER: nfnetlink_log: fix computation of netlink skb size - LP: #301608 * zisofs: fix readpage() outside i_size - LP: #301608 * jbd2: correctly unescape journal data blocks - LP: #301608 * jbd: correctly unescape journal data blocks - LP: #301608 * aio: bad AIO race in aio_complete() leads to process hang - LP: #301608 * async_tx: avoid the async xor_zero_sum path when src_cnt > device->max_xor - LP: #301608 * SCSI advansys: Fix bug in AdvLoadMicrocode - LP: #301608 * BLUETOOTH: Fix bugs in previous conn add/del workqueue changes. - LP: #301608 * relay: fix subbuf_splice_actor() adding too many pages - LP: #301608 * slab: NUMA slab allocator migration bugfix - LP: #301608 * S390 futex: let futex_atomic_cmpxchg_pt survive early functional tests. - LP: #301608 * Linux 2.6.24.4 - LP: #301608 * time: prevent the loop in timespec_add_ns() from being optimised away - LP: #301632 * kbuild: soften modpost checks when doing cross builds - LP: #301632 * mtd: memory corruption in block2mtd.c - LP: #301632 * md: remove the 'super' sysfs attribute from devices in an 'md' array - LP: #301632 * V4L: ivtv: Add missing sg_init_table() - LP: #301632 * UIO: add pgprot_noncached() to UIO mmap code - LP: #301632 * USB: new quirk flag to avoid Set-Interface - LP: #301632 * NOHZ: reevaluate idle sleep length after add_timer_on() - LP: #301632 * slab: fix cache_cache bootstrap in kmem_cache_init() - LP: #301632 * xen: fix RMW when unmasking events - LP: #301632 * xen: mask out SEP from CPUID - LP: #301632 * xen: fix UP setup of shared_info - LP: #301632 * PERCPU : __percpu_alloc_mask() can dynamically size percpu_data storage - LP: #301632 * alloc_percpu() fails to allocate percpu data - LP: #301632 * vfs: fix data leak in nobh_write_end() - LP: #301632 * pci: revert SMBus unhide on HP Compaq nx6110 - LP: #301632 * vmcoreinfo: add the symbol "phys_base" - LP: #301632 * USB: Allow initialization of broken keyspan serial adapters. - LP: #301632 * USB: serial: fix regression in Visor/Palm OS module for kernels >= 2.6.24 - LP: #301632 * USB: serial: ti_usb_3410_5052: Correct TUSB3410 endpoint requirements. - LP: #301632 * CRYPTO xcbc: Fix crash when ipsec uses xcbc-mac with big data chunk - LP: #301632 * mtd: fix broken state in CFI driver caused by FL_SHUTDOWN - LP: #301632 * ipmi: change device node ordering to reflect probe order - LP: #301632 * AX25 ax25_out: check skb for NULL in ax25_kick() - LP: #301632 * NET: include into linux/ethtool.h for __u* typedef - LP: #301632 * SUNGEM: Fix NAPI assertion failure. - LP: #301632 * INET: inet_frag_evictor() must run with BH disabled - LP: #301632 * LLC: Restrict LLC sockets to root - LP: #301632 * netpoll: zap_completion_queue: adjust skb->users counter - LP: #301632 * PPPOL2TP: Make locking calls softirq-safe - LP: #301632 * PPPOL2TP: Fix SMP issues in skb reorder queue handling - LP: #301632 * NET: Add preemption point in qdisc_run - LP: #301632 * sch_htb: fix "too many events" situation - LP: #301632 * SCTP: Fix local_addr deletions during list traversals. - LP: #301632 * NET: Fix multicast device ioctl checks - LP: #301632 * TCP: Fix shrinking windows with window scaling - LP: #301632 * TCP: Let skbs grow over a page on fast peers - LP: #301632 * VLAN: Don't copy ALLMULTI/PROMISC flags from underlying device - LP: #301632 * SPARC64: Fix atomic backoff limit. - LP: #301632 * SPARC64: Fix __get_cpu_var in preemption-enabled area. - LP: #301632 * SPARC64: flush_ptrace_access() needs preemption disable. - LP: #301632 * libata: assume no device is attached if both IDENTIFYs are aborted - LP: #301632 * sis190: read the mac address from the eeprom first - LP: #301632 * bluetooth: hci_core: defer hci_unregister_sysfs() - LP: #301632 * SPARC64: Fix FPU saving in 64-bit signal handling. - LP: #301632 * DVB: tda10086: make the 22kHz tone for DISEQC a config option - LP: #301632 * HFS+: fix unlink of links - LP: #301632 * plip: replace spin_lock_irq with spin_lock_irqsave in irq context - LP: #301632 * signalfd: fix for incorrect SI_QUEUE user data reporting - LP: #301632 * POWERPC: Fix build of modular drivers/macintosh/apm_emu.c - LP: #301632 * PARISC futex: special case cmpxchg NULL in kernel space - LP: #301632 * PARISC pdc_console: fix bizarre panic on boot - LP: #301632 * PARISC fix signal trampoline cache flushing - LP: #301632 * acpi: bus: check once more for an empty list after locking it - LP: #301632 * fbdev: fix /proc/fb oops after module removal - LP: #301632 * macb: Call phy_disconnect on removing - LP: #301632 * file capabilities: remove cap_task_kill() - LP: #301632 * locks: fix possible infinite loop in fcntl(F_SETLKW) over nfs - LP: #301632 * Linux 2.6.24.5 - LP: #301632 * splice: use mapping_gfp_mask - LP: #301634 * fix oops on rmmod capidrv - LP: #301634 * USB: gadget: queue usb USB_CDC_GET_ENCAPSULATED_RESPONSE message - LP: #301634 * JFFS2: Fix free space leak with in-band cleanmarkers - LP: #301634 * Increase the max_burst threshold from 3 to tp->reordering. - LP: #301634 * USB: remove broken usb-serial num_endpoints check - LP: #301634 * V4L: Fix VIDIOCGAP corruption in ivtv - LP: #301634 * Linux 2.6.24.6, 2.6.24.7 - LP: #301634 linux (2.6.24-22.45) hardy-security; urgency=low [Upstream Kernel Changes] * Don't allow splice() to files opened with O_APPEND - CVE-2008-4554 * sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH - CVE-2008-4576 * sctp: Fix kernel panic while process protocol violation parameter - CVE-2008-4618 * hfsplus: fix Buffer overflow with a corrupted image - CVE-2008-4933 * hfsplus: check read_mapping_page() return value - CVE-2008-4934 * net: Fix recursive descent in __scm_destroy(). - CVE-2008-5029 * net: unix: fix inflight counting bug in garbage collector - CVE-2008-5029 * security: avoid calling a NULL function pointer in drivers/video/tvaudio.c - CVE-2008-5033 * hfs: fix namelength memory corruption - CVE-2008-5025 * V4L/DVB (9621): Avoid writing outside shadow.bytes[] array -- Stefan Bader