kernel-image-speakup-i386 (2.4.27-1.1sarge6) oldstable-security; urgency=high

  * Build against kernel-tree-2.4.27-10sarge7:
    * [ERRATA] 268_ext2_readdir-f_pos-fix-2.diff
      Fix regression caused by 258_ext2_readdir-f_pos-fix.diff which can
      cause lock ups on ext2 mounts.

 -- dann frazier <dannf@debian.org>  Tue, 04 Mar 2008 00:20:16 -0700

kernel-image-speakup-i386 (2.4.27-1.1sarge5) oldstable-security; urgency=high

  * Build against kernel-tree-2.4.27-10sarge6:
    * 239_mincore-hang.diff
      [SECURITY] Fix a potential deadlock in mincore
      See CVE-2006-4814
    * [ERRATA] 240_smbfs-honor-mount-opts-2.diff
      Fix some regressions with respect to file types (e.g., symlinks)
      introduced by the fix for CVE-2006-5871 in 2.4.27-10sarge5
    * 241_bluetooth-capi-size-checks.diff
      [SECURITY] Add additional length checks to avoid potential remote
      DoS attacks in the handling of CAPI messages in the bluetooth driver
      See CVE-2006-6106
    * 242_ext3-fsfuzz.diff
      [SECURITY] Fix a DoS vulnerability that can be triggered by a local
      user with the ability to mount a corrupted ext3 filesystem
      See CVE-2006-6053
    * 243_ipv6_fl_socklist-no-share.diff
      [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
      ipv6_fl_socklist between the listening socket and the socket created
      for connection.
      See CVE-2007-1592
    * 244_bluetooth-l2cap-hci-info-leaks.diff
      245_bluetooth-l2cap-hci-info-leaks-2.diff
      [SECURITY] Fix information leaks in setsockopt() implementations
      See CVE-2007-1353
    * 246_dn_fib-out-of-bounds.diff
      266_ipv4-fib_props-out-of-bounds.diff
      267_ipv4-fib_props-out-of-bounds-2.diff
      [SECURITY] Fix out of bounds condition in dn_fib_props[]
      See CVE-2007-2172
    * 247_reset-pdeathsig-on-suid.diff
      [SECURITY] Fix potential privilege escalation caused by improper
      clearing of the child process' pdeath signal.
      Thanks to Marcel Holtmann for the patch.
      See CVE-2007-3848
    * 248_random-reseed-sizeof-fix.diff
      [SECURITY] Fix a bug in the random driver reseeding code that reduces
      entropy by reseeding a smaller buffer size than expected
      See CVE-2007-4311
    * 249_openpromfs-signedness-bug.diff
      250_openpromfs-checks-1.diff
      251_openpromfs-checks-2.diff
      252_openpromfs-checks-3.diff
      [SECURITY] Fix a number of data checks in openprom code
      See CVE-2004-2731
    * 253_coredump-only-to-same-uid.diff
      [SECURITY] Fix an issue where core dumping over a file that
      already exists retains the ownership of the original file
      See CVE-2007-6206
    * 254_cramfs-check-block-length.diff
      [SECURITY] Add a sanity check of the block length in cramfs_readpage to
      avoid a potential oops condition
      See CVE-2006-5823
    * 255_pppoe-socket-release-mem-leak.diff
      [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
      after connect but before PPPIOCGCHAN ioctl is called upon it
      See CVE-2007-2525
    * 256_i4l-isdn_ioctl-mem-overrun.diff
      [SECURITY] Fix potential isdn ioctl memory overrun
      See CVE-2007-6151
    * 257_isdn-net-overflow.diff
      [SECURITY] Fix potential overflows in the ISDN subsystem
      See CVE-2007-6063
    * 258_ext2_readdir-f_pos-fix.diff,
      259_ext2_readdir-infinite-loop.diff,
      260_ext2-skip-pages-past-num-blocks.diff
      [SECURITY] Add some sanity checking for a corrupted i_size in
      ext2_find_entry()
      See CVE-2006-6054
    * 261_listxattr-mem-corruption.diff
      [SECURITY] Fix userspace corruption vulnerability caused by
      incorrectly promoted return values in bad_inode_ops
      This patches changes the kernel ABI.
      See CVE-2006-5753
    * 262_aacraid-ioctl-perm-check.diff
      [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
      See CVE-2007-4308
    * 263_usb-pwc-disconnect-block.diff
      [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
      If userspace still has the device open it can result, the driver would
      wait for the device to close, blocking the USB subsystem.
      See CVE-2007-5093
    * 264_mmap-VM_DONTEXPAND.diff
      [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
      a fault handler but do not bounds check the offset argument
      See CVE-2008-0007
    * 265_powerpc-chrp-null-deref.diff
      [SECURITY][powerpc] Fix NULL pointer dereference if get_property
      fails on the subarchitecture
      See CVE-2007-6694

 -- dann frazier <dannf@debian.org>  Mon, 18 Feb 2008 04:17:43 -0700

kernel-image-speakup-i386 (2.4.27-1.1sarge4) stable-security; urgency=high

  * Build against kernel-tree-2.4.27-10sarge5:
    * 233_ia64-sparc-cross-region-mappings.diff
      [SECURITY] Prevent cross-region mappings on ia64 and sparc which
      could be used in a local DoS attack (system crash)
      See CVE-2006-4538
    * 234_atm-clip-freed-skb-deref.diff
      [SECURITY] Avoid dereferencing an already freed skb, preventing a
      potential remote DoS (system crash) vector
      See CVE-2006-4997
    * 235_ppc-alignment-exception-table-check.diff
      [SECURITY][ppc] Avoid potential DoS which can be triggered by some
      futex ops
      See CVE-2006-5649
    * 236_s390-uaccess-memleak.diff
      [SECURITY][s390] Fix memory leak in copy_from_user by clearing the
      remaining bytes of the kernel buffer after a fault on the userspace
      address in copy_from_user()
      See CVE-2006-5174
    * 237_smbfs-honor-mount-opts.diff
      Honor uid, gid and mode mount options for smbfs even when unix extensions
      are enabled (closes: #310982)
      See CVE-2006-5871
    * 238_ppc-hid0-dos.diff
      [SECURITY] [ppc] Fix local DoS by clearing HID0 attention enable on
      PPC970 at boot time
      See CVE-2006-4093

 -- dann frazier <dannf@debian.org>  Tue,  5 Dec 2006 09:42:09 -0700

kernel-image-speakup-i386 (2.4.27-1.1sarge3) stable-security; urgency=high

  * Build against kernel-tree-2.4.27-10sarge4:
    * [ERRATA] 213_madvise_remove-restrict.diff
      [SECURITY] The 2.4.27-10sarge3 changelog associated this patch with
      CVE-2006-1524. However, this patch fixes an mprotect issue that was
      split off from the original report into CVE-2006-2071. 2.4.27 is not
      vulnerable to CVE-2006-1524 the madvise_remove issue.
      See CVE-2006-2071
    * 223_nfs-handle-long-symlinks.diff
      [SECURITY] Fix buffer overflow in NFS readline handling that allows a
      remote server to cause a denial of service (crash) via a long symlink
      See CVE-2005-4798
    * 224_cdrom-bad-cgc.buflen-assign.diff
      [SECURITY] Fix buffer overflow in dvd_read_bca which could potentially
      be used by a local user to trigger a buffer overflow via a specially
      crafted DVD, USB stick, or similar automatically mounted device.
      See CVE-2006-2935
    * 225_sg-no-mmap-VM_IO.diff
      [SECURITY] Fix DoS vulnerability whereby a local user could attempt
      a dio/mmap and cause the sg driver to oops.
      See CVE-2006-1528
    * 226_snmp-nat-mem-corruption-fix.diff
      [SECURITY] Fix memory corruption in snmp_trap_decode
      See CVE-2006-2444
    * 227_kfree_skb.diff
      [SECURITY] Fix race between kfree_skb and __skb_unlink
      See CVE-2006-2446
    * 228_sparc-mb-extraneous-semicolons.diff
      Fix a syntax error caused by extranous semicolons in smp_mb() macros
      which resulted in a build failure with 227_kfree_skb.diff
    * 229_sctp-priv-elevation.diff, 230_sctp-priv-elevation-2.diff
      [SECURITY] Fix SCTP privelege escalation
      See CVE-2006-3745
    * 231_udf-deadlock.diff
      [SECURITY] Fix possible UDF deadlock and memory corruption
      See CVE-2006-4145
    * 232_sparc-membar-extraneous-semicolons.diff
      Fix an additional syntax error caused by extraneous semicolons
      in membar macros on sparc

 -- dann frazier <dannf@debian.org>  Wed, 13 Sep 2006 20:42:50 -0600

kernel-image-speakup-i386 (2.4.27-1.1sarge2) stable-security; urgency=high

  * NMU by the Security Team
  * Build against kernel-tree-2.4.27-10sarge3:
    * 207_smbfs-chroot-escape.diff
      [SECURITY] Fix directory traversal vulnerability in smbfs that permits
      local users to escape chroot restrictions
      See CVE-2006-1864
    * 208_ia64-die_if_kernel-returns.diff
      [SECURITY][ia64] Fix a potential local DoS on ia64 systems caused by
      an incorrect 'noreturn' attribute on die_if_kernel()
      See CVE-2006-0742
    * 209_sctp-discard-unexpected-in-closed.diff
      [SECURITY] Fix remote DoS in SCTP code by discarding unexpected chunks
      received in CLOSED state instead of calling BUG()
      See CVE-2006-2271
    * 210_ipv4-id-no-increment.diff
      [SECURITY] Fix vulnerability that allows remote attackers to conduct an
      Idle Scan attack, bypassing intended protections against such attacks
      See CVE-2006-1242
    * 211_usb-gadget-rndis-bufoverflow.diff
      [SECURITY] Fix buffer overflow in the USB Gadget RNDIS implementation
      that allows for a remote DoS attack (kmalloc'd memory corruption)
      See CVE-2006-1368
    * 212_ipv4-sin_zero_clear.diff
      [SECURITY] Fix local information leak in af_inet code
      See CVE-2006-1343
    * 213_madvise_remove-restrict.diff
      [SECURITY] Fix vulnerability that allows local users to bypass IPC
      permissions and replace portions of read-only tmpfs files with zeroes.
      See CVE-2006-1524
    * 214_mcast-ip-route-null-deref.diff
      [SECURITY] Fix local DoS vulnerability that allows local users to panic
      a system by requesting a route for a multicast IP
      See CVE-2006-1525
    * 215_sctp-fragment-recurse.diff
      [SECURITY] Fix remote DoS vulnerability that can lead to infinite
      recursion when a packet containing two or more DATA fragments is received
      See CVE-2006-2274
    * 216_sctp-fragmented-receive-fix.diff
      [SECURITY] Fix remote DoS vulnerability that allows IP fragmented
      COOKIE_ECHO and HEARTBEAT SCTP control chunks to cause a kernel panic
      See CVE-2006-2272
    * 217_amd64-fp-reg-leak.diff
      [SECURITY][amd64] Fix an information leak that allows a process to see
      a portion of the floating point state of other processes, possibly
      exposing sensitive information.
      See CVE-2006-1056
    * 218_do_add_counters-race.diff
      [SECURITY] Fix race condition in the do_add_counters() function in
      netfilter that allows local users with CAP_NET_ADMIN capabilities to
      read kernel memory
      See CVE-2006-0039
    * 219_sctp-hb-ack-overflow.diff
      [SECURITY] Fix a remote buffer overflow that can result from a badly
      formatted HB-ACK chunk
      See CVE-2006-1857
    * 220_sctp-param-bound-checks.diff
      [SECURITY] Fix a bound checking error (remote DoS) in the SCTP parameter
      checking code
      See CVE-2006-1858
    * 221_netfilter-do_replace-overflow.diff
      [SECURITY] Fix buffer overflow in netfilter do_replace which can could
      be triggered by users with CAP_NET_ADMIN rights.
      See CVE-2006-0038
    * 222_binfmt-bad-elf-entry-address.diff
      [SECURITY][amd64] Fix potential local DoS vulnerability in the binfmt_elf
      code on em64t processors
      See CVE-2006-0741

 -- dann frazier <dannf@debian.org>  Sat, 10 Jun 2006 12:17:49 -0600

kernel-image-speakup-i386 (2.4.27-1.1sarge1) stable-security; urgency=high

  * NMU by the Security Team
  * Rebuild against kernel-tree-2.4.27-10sarge2

 -- dann frazier <dannf@debian.org>  Mon, 27 Feb 2006 23:02:51 -0700

kernel-image-speakup-i386 (2.4.27-1.1) unstable; urgency=HIGH

  * NMU
  * Rebuilt with version -8 of the kernel source package to fix numerous
    security holes, including CAN-2005-0001 and CAN-2004-1235.
    Closes: #295624
  * Warning! The security fixes introduced an ABI change in the kernel module
    interface. Kernel modules built for previous versions of this package will
    not work with the new one, nor the new kernel's modules work with older
    versions of the -speakup kernel. Please take appropriate care when
    upgrading.

 -- Joey Hess <joeyh@debian.org>  Fri, 25 Feb 2005 15:27:22 -0500

kernel-image-speakup-i386 (2.4.27-1) unstable; urgency=low

  * New kernel minor version (closes: #266900)
  * Update config/speakup according to config/386 from
    kernel-image-2.4.27-i386.

 -- Mario Lang <mlang@debian.org>  Thu, 19 Aug 2004 21:41:11 +0200

kernel-image-speakup-i386 (2.4.26-1) unstable; urgency=low

  * New kernel minor version.
  * Adjust Build-Depends since we need a new speakup-cvs.

 -- Mario Lang <mlang@debian.org>  Thu,  6 May 2004 21:26:59 +0200

kernel-image-speakup-i386 (2.4.24-1) unstable; urgency=low

  * New kernel minor version.

 -- Mario Lang <mlang@debian.org>  Thu,  8 Jan 2004 12:08:02 +0100

kernel-image-speakup-i386 (2.4.22-3) unstable; urgency=low

  * Build-depend on kernel-tree-2.4.22-5 to fix do_brk.

 -- Mario Lang <mlang@debian.org>  Sat,  6 Dec 2003 23:48:00 +0100

kernel-image-speakup-i386 (2.4.22-2) unstable; urgency=low

  * Reassume maintainership.
  * debian/control: Build-Depend on kernel-patch-speakup >= 20031115-1.
  * config/speakup:
    - CONFIG_DEVFS_FS=y for d-i.
    - Rename CONFIG_SPEAKUP_APOLO to CONFIG_SPEAKUP_APOLLO.
    - Set CONFIG_SPEAKUP_KEYPC=n for now, it doesn't compile.

 -- Mario Lang <mlang@debian.org>  Sat, 15 Nov 2003 18:39:57 +0100

kernel-image-speakup-i386 (2.4.22-1) unstable; urgency=medium

  * Build against kernel-tree-2.4.22-3.
  * Build using the newest speakup-cvs (20031012).

 -- Deedra Waters <dmwaters@linuxpowered.com>  Sat, 11 Oct 2003 19:25:51 +0200

kernel-image-speakup-i386 (2.4.20-3) unstable; urgency=low

  * New maintainer
  * added -initrd to the make-kpkg call (Closes: #189177)
  * removed support for the doubletalk driver in the kernel
  * added util-linux to the build depends
    (Closes: #191378)
  * built the package against kernel-source-2.4.20-7 and updated the build
    depends

 -- Deedra Waters <dmwaters@linuxpowered.com>  Fri, 30 May 2003 15:40:42 -0400

kernel-image-speakup-i386 (2.4.20-2) unstable; urgency=low

  * Recompiled against kernel-source-2.4.20 2.4.20-6 to fix ptrace hole
    and also set build-depends on that version

 -- Mario Lang <mlang@debian.org>  Wed, 26 Mar 2003 12:00:08 +0100

kernel-image-speakup-i386 (2.4.20-1) unstable; urgency=low

  * Initial release (Closes: Bug#173984).

 -- Mario Lang <mlang@debian.org>  Sun,  5 Jan 2003 20:15:50 +0100
