Linux 2.2.20 is Out

piranha(jpl) writes: "I went to download 2.2.x from kernel.org and noticed 2.2.20 is out. I believe this is supposed to fix the security vulnerability found in 2.2.19. Surprised I didn't see it on the main Slashdot page."

.20 has been -pre for months

[green pizza]

How long has 2.2.20 been in -pre state? Almost 8 months?

At any rate, it's a welcome sight. Several of our servers are still running 2.2, though most get a good dose of kernel.org and apt-get every few days.

Re:.20 has been -pre for months

[Anonymous Coward]

2.2.x is a very stable kernel series. Alan Cox is in charge, and intentionally being very cautious about making changes. (If it's not broken, don't fix it) That's why it took so long to go from 2.2.19 to 2.2.20.

Sadly, Alan's not planning [kerneltrap.com] to take over the 2.4 series. This is sad, as he's done such a good job with 2.2... And 2.4 could use his help.

Ahhhh

[Spy Hunter]

2.2.19 is no number to end a kernel series with. It's so ugly and odd. Doesn't 2.2.20 seem like such a better number? It's even and it's got alliteration. Thank goodness for this bug, or we would have never had a proper end to the 2.2.X series.

Re:Ahhhh

[RollingThunder]

We actually need two more bugs.

2.2.22 is even better. :)

Re:Ahhhh

[Tachys]

Of course we also need 2.0.40 to give the 2.0.x series a proper ending

Re:Ahhhh

[Cozminsky]

Surely it wouldn't be alliteration, but anumeration (even though there is no such word).

Version e

[empesey]

It'd be better to end on 2.7.18

Re:Ahhhh

[efgbr]

dude, that was not a kernel bug.

the problem is right in front of your monitor.

Nice to see...

[Anonymous Coward]

...that they still fix bugs in "older" kernels.

I'm still waiting for a patch for Windows 95 that will make it multiuser.

Re:Nice to see...

[surflorida]

Don't hold your breath. Hmmm.. I never had a problem with Linux and multible users...

Finally!

[cperciva]

This is a Good Thing. It gets tiring after a while to keep on telling people "Well, the 2.4 kernels are in the middle of a VM flamewar so you should probably stay away from them until they settle down... but the latest 2.2 kernel has some icky security holes, so what you need to do is get 2.2.19 and then add these two security patches... hey, where did you go?"

Huh?

[hardave]

2.2.20pre11
o Security fixes
| Details censored in accordance with the US DMCA

Someone mind telling me why it's illegal to reveal what they fixed??

Re:Huh?

[Anonymous Coward]

Actually it is illegal to distribute means or information for a copyright circumvention device...

This information allows someone to understand a security hole in previous versions of da kernel and exploit it. The copyrighted material is licenced software (GPL, Artistic, whatever).

For example, if you wrote a book and someone was able to get through your firewall due to a published security hole then you would have a legal case against the publisher under the DMCA.

Getting through on a kernel exploit is no different.

Re:Huh?

[jrockway]

Wrong. The DMCA only makes it illegal to circumvent encryption that protects compyright. Like the CSS that protectes copyrighted DVD's. That's why DeCSS is illegal, it's a circumvention device. Talking about DeCSS is illegal too aparently...

There's no encryption code that I know of that was affected, so someone's just being stupid here (Cox talking out his ass? I dunno...).

Re:Huh?

[kfg]

"What if the DMCA folks wanted to really stretch things. They could say that a compiler is a method for encrypting the source code. . . "

See my post to the thread parent. This is, essentially, what the California Appellate court just ruled in the DeCSS case.

KFG

Re:Huh?

[Coredumped]

No I dont believe thats what they said at all.

The ruling said that source code, being human readable was free-speech. Once you compile that code it becomes a tool to circumvent software, which IS illegal under the DMCA.

Re:Huh?

[jrockway]

Heh, so what happens if you use an interperted language? It's human readable and machine readable :)

Re:Huh?

[technos]

File permissions *do* protect copyright. If I write code, and stick it on a free server in Finland, and chmod it all to hell so everyone else can't see it's existance, I've taken reasonable technical steps to protect non-disclosure of my IP. Now Joe BlowHax0r comes along, axploits the bug, and *my* reasonable technical effort is screwed. Oh, and the DMCA too.

Re:Huh?

[kfg]

Sorry, but you're wrong here. See my post to the thread parent. You'll find a link to the DMCA itself. It makes an interesting read.

Please note also, that by American and international law *everything* you write is copyrighted from the moment of creation. In effect everything not specifically put into the public domain is covered by copyright protections. This is the crux of what makes the GPL work. GPL works are NOT in the public domain.

Note also the ruling of the court that distribution of the DeCSS source code is NOT illegal. . . at the moment.

This has, essentially, just happened and I guess you missed it.

KFG

Re:Huh?

[jrockway]

> Note also the ruling of the court that distribution of the DeCSS source code is NOT illegal. . . at the moment.

Yeah I know... but it's a good example. And the friggin' kernel exploit in not DMCA affected. If it is then chmod is a circumvention device (for root). Should we eliminate root?

Re:Huh?

[SnapperHead]

The intresting thing is that its kinda hard not to notice the change. Just create a diff bewteen the 2 versions. It would still be difficault for non-kernel hackers to figure it out.

But, anyway, its just to prove a point, which I can understand. Either way, its fixed, and I am happy.

Re:Huh?

[cicadia]

If you really want to know, just download the diff [kernel.org] from kernel.org [kernel.org].

Re:Huh?

[Anonymous Coward]

Goddamnit. Im moving under my bed. Maybe the DCMA and RIAA wont get to me there.

Re:Huh?

[Anonymous DWord]

Hahaha! That was "Informative?" Yeah, it's nice to know where that AC is going to move. Must be Friday night or something. mumblemumbledrunkenmoderatorsmumble

Re:Huh?

[Anonymous Coward]

It's not illegal. Alan Cox's joke is getting really tired.

Re:Huh?

[efgbr]

that was legal advice from his lawyer. AC is a serious person and has proved that, meanwhile youre nobody and youre acusing him.

Re:Huh?

[kfg]

Alan Cox is, essentially, making a political statement. Details of the security patch arn't actually illegal in the sense that it has been declared so. However, certain readings of the DMCA *could* be interpreted as meaning that details of a security flaw that allowed unauthorized access to propriatary files, ( and this would include your private "to do" list, which is copyrighted to you at creation), would be a violation.

Here is the the relevant section of the code:

`Sec. 1201. Circumvention of copyright protection systems

`(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

The entire text of the DMCA can be found here:

http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2 28 1.ENR:

Note the term "technological measure." What does this term mean? Well, as it turns out that's a damn good question, one that it has been left to the courts to decide.

So let's say you fire up vi and write a "to do" list. You place it in your home directory. This is now propriatary information, technically copyrighted to you. That "to do" list is now has whatever protections upon it that that you assign the file and your home directory.

So, let's say that only you have any rights to your home directory and the file itself, but someone manages to crack your machine and read the file * using the knowledge gained from reading the patch code and/or details of the hole.*

You see? By assigning restricted permissions to the file you have used "technological measures" to insure its propriatary nature, and thus the security details could be interpreted as publishing a means to defeat that measure.

Noone law enforcment agency has yet stepped forward to claim this interpretation, but there is absolutely no reason * why they couldn't.*

Interestingly enough the Calfornia appellate court has just ruled in the DeCSS case that the injunction against distributing the source code of DeCSS was, indeed, an unconstitutional violation of freedom of speach. Note that the court made a clear and explicit distinction between machine readable compiled binary code and human readable source code. It acknowledged that compiled binaries would have had protection under the DMCA, but that *source code did not.*

This ruling has ramifications throughout the software industry, particularly with regards to OSS. At the moment there is no legal restriction, per se, of *any kind* on distributing source code.

Please make note though that this applies only to issues of *prior restraint.*

This does not mean that all source code can be legally distributed, it means that until an actual *adjudication* is made that said distribution was illegal it cannot be restrained.

A fine distinction of law that could get you out of, or *into*, trouble if you don't understand it properly.

Ah, what tangled webs we weave, when first we practice to make the contents of people's *minds* illegal.

KFG

Why?

[Bud Dwyer]

Okay, I'm kind of a newbie to Linux. I've been using Linux a little over a month, and I just finished compiling the latest stable 2.4 kernel. Now, tell me again why I'd want to take a step backwards? 2.4 is greater than 2.2.20 according to my math, which means it's better and more recent. So why are they still releasing 2.2? Is there some infighting in the Linux development world or something? Is this type of confusion (releasing 2.2.20 when 2.4 is already out) just one of the costs of the Open Source development methodology? I mean, you never hear about Microsoft releasing Windows 3.12 after Windows 95 is out.

Re:Why?

[jjr]

Becuase alot of people still use that kernel version. The nice people they are they like to keep do update even some of the older stuff also since they know some people still like using that kernel version.

Re:Why?

[edwdig]

If you're running a production server, you only change the kernel if there's a good reason. If you're running 2.2, installing this version is a good idea, as it's only minor (but important) tweaks.

Personally, I'm going to try it out because the 2.4 series networking doesn't work well at all on my system. Sockets stall after transferring a few hundred kb, which makes any kind of net access a serious pain. But 2.2.19 had problems with my sound card... Maybe, just maybe, there will be a version that likes all my hardware...

Re:Why?

[Electrum]

Okay, I'm kind of a newbie to Linux. I've been using Linux a little over a month, and I just finished compiling the latest stable 2.4 kernel. Now, tell me again why I'd want to take a step backwards? 2.4 is greater than 2.2.20 according to my math, which means it's better and more recent. So why are they still releasing 2.2? Is there some infighting in the Linux development world or something? Is this type of confusion (releasing 2.2.20 when 2.4 is already out) just one of the costs of the Open Source development methodology? I mean, you never hear about Microsoft releasing Windows 3.12 after Windows 95 is out.

Knowing Slashdot moderators, your comment will probably get modded as troll, but I'll answer anyway. Regarding your Windows example, you are incorrect. This is like Microsoft releasing SP6 for NT 4 after Windows 2000 is released. I'm fairly sure SP6 was released afterwards, but if not, they have still released updates to NT 4 after the release of Windows 2000. Just because a product isn't the latest code base doesn't mean it isn't still being used. Many people are still running NT 4, and need updates, like security fixes. There will still be updates to Windows 2000, even though Windows XP is out.

Even though 2.4 is "stable", it isn't "super stable" yet, and might not be for some time. I would guess that most people running Linux on non SMP production servers are using a 2.2 kernel, simply because it has been tested longer, and known to be stable. Then again, that's why many of us use FreeBSD on our production servers :) At this point, I would use a 2.2 kernel on any product boxes that were going to be running Linux. I've personally had problems with 2.4 on the boxes I use as workstations. For example, 2.4.7 would swap for hours when it ran out of memory. While you'd hope that never happens on a production server, many people can't afford to take that risk.

The current even numbered kernel, in this case 2.4, is the "stable" kernel, and the one behind it, in this case 2.2, is the "super stable" kernel.

Re:mod parent down

[Electrum]

"super stable"?

Get Real!

As opposed to just "stable". I'm not the one who came up with the term...

Re:Why?

[Buck2]

Just because you haven't had problems doesn't mean someone elsase hasn't. (me)

Super stable

[Tony-A]

Running production in the field for 5+ years with nobody having a stability problem.
The problem is such as Microsoft get something new and because it managed to stay up all day they think it's (finally) stable.

Re:Why?

[Ada_Rules]

Actually, plenty of vendors upgrade/patch older
versions even though new versions are out. Just a week or two ago MS released a new security patch for Windows 95. By any reasonable versioning standards, this does indeed change the version of the windows OS I sometimes run since a version should uniquely identify the configuration.

So, whether or not the parent of this message was indented to be a troll or a genuine question it still based on incorrect assumptions.

Re:Why?

[lemox]

Knowing Slashdot moderators, your comment will probably get modded as troll...

That's because he is a troll. Try reading his posting history.

So yeah... YHBT. HAND.

you misunderstand

[oni]

2.4 is greater than 2.2.20 according to my math, which means it's better and more recent

no, no, no...
Linux is a next-generation operating system. The whole thing was planned out by The Creator before even the first line of code was committed to disk. We are in fact on a count down to Linux version 1. That will be the perfect version that will signal the end times . You see, linux started with, IIRC version 5. Each time The Creator completes one stage of the plan, we decrement the version number by one. We are at 2.2 now so as you can see, it wont be long until the end times .

I'm kind of a newbie to Linux

Welcome aboard brother.

Why, I can remember my first experience with linux. I had a version 4.6.2 kernel running on a 386 with only 640K RAM. Ahh... those were the days!

Re:you misunderstand

[Anonymous Coward]

dispite what linus thinks, the _REAL_ version of linux is 7.2. Didn't the Creator tell you before? the end times is not as near as you think, brother

Re:Why?

[SnapperHead]

There are tons of installing still using the 2.2 series. For example, my laptop, DNS / DHCP server and firewall. Most of the 1 disk firewall distros currently use the 2.2 series kernel. It will be quite a while before the start moving to 2.4.

There are also the types of people who won't move there production servers / workstations over to 2.4 becuase of VM issues, and becuase of how long its been around. I am one of those types when it comes to filesystems. My main server is running ext2, it will be at least another 2 years before I think about moving it to ReiserFS or ext3. My workstation is using ext3, becuase the important things (/home) are mounted via NFS.

Anyway, I could show you my friends work which has over 200 2.2 series machines. Running anything from rh 6.2, to debian 2.2. Just becuase something is newier or has a higher version number, doesn't mean its better.

Re:Why?

[mark_lybarger]

i can see how a "one disk" (meaning floppy hopefully) distro would be limited to 2.2 since from what i recall, 2.4 requires more memory/space, but isn't 2.4 better suited for firewalling? i don't think 2.2 support iptables and all it's glory. statefull firewalls are a good thing.

Re:Why?

[dollargonzo]

although 2.4 is considered the even numbered stable kernel, the potato distro of, say, debian, still comes with the 2.2 kernel, and probably will for some time. The 2.4 kernel is in the woody distro, and still considered testing. so, if yuo buy a set of debian CDs, they will contain 2.2 until testing becomes stable.

Re:Why?

[EvlG]

Validation is a big concern for any mission-critical computing environment. Most organizations using Linux have validated 2.2 series long ago, and thus have certified it as acceptable for use in their production machines. Those machines can't afford much downtime, so if it works, don't fix it.

2.4 is still experiencing some evolution. Witness the VM changes lately. A production server running one of the builds with the bad VM would be in real trouble when it thrashed/etc... Thus, 2.4 is probably not validated for a lot of environments.

2.2 is rock solid at this point. Fix a few security bugs here and there, and you have a super stable kernel. Sure, it might not support all the latest features, and not have the absolute best performance when compared to some of the newer things being done, but for some applications, the stability is the most important goal.

Re:Why?

[Fishstick]

>tell me again why I'd want to take a step backwards?

You wouldn't. If you haven't taken the step forwards yet to 2.4 (as many probably haven't - not every distribution ships with a 2.4 kernel yet) you would need this.

There probably are (believe it or not) still many machines running 2.2 for one reason or another, and this version apparently fixes some security issues. Alan wouldn't bother to release a new version of 2.2 if no one still used it, would he?

I personally still use a 2.2 series kernel on my firewall pc. I just never had a compelling reason to upgrade to 2.4 and my 2.2.19 does everything I need. If 2.2.20 adds some security fixes, then I'll find some time in the next week to compile a new kernel.

Someday the task of moving this machine to 2.4 will move high enough on my list to do something about it. There's not a whole lot going on in this box, but I haven't found time to research all that would be involved to go from ipchains to iptables, or to figure out if there's anything I'd have to do different to get my VPN masquerading to work again.

Can't grab it quite yet, myself

[bconway]

As my sole 2.2 machine is running Mandrake w/ ReiserFS, I can't grab it quite yet for my firewall. Keep an eye on their ftp site [namesys.com] for the imminent 2.2 patch, and enjoy.

Security fixes

[VA Software]

2.2.20pre11
o Security fixes

- Quota buffer overrun , possibly locally exploitable (Solar Designer)

- Ptrace race - local root exploit

- Symlink local denial of service attack fix (Rafal Wojtczuk, Solar Designer, Linus Torvalds)

- Sparc exec fixups(Solar Designer)

Re:Security fixes

[jrockway]

No no no it doesn't! Read my previous post on what's illegal under the DMCA. Hint: this has nothing to do with it!!!!

Re:The Full Changelog

[Glyndwr]

o Security fixes


| Details censored in accordance with the US DMCA

Huh? What gives here? This sounds juicy.

Re:The Full Changelog

[damiam]

There was a /. discussion [slashdot.org] on this a few weeks ago.

Re:The Full Changelog

[Glyndwr]

So I discovered about 15 minutes of posting my original comment. I hate being stuck offline for a week at a time.

Re:The Full Changelog

[dattaway]

We could tell you, but the NSA would have to kill you.

Re:The Full Changelog

[vsavatar]

Non-US citizens can find the full uncensored changelog at http://www.freeworld.net

For those of you who don't want to have to go through a click-thru agreement I have posted them on

http://www.burger-family.org/chglog-2_2_20.txt

and

http://www.geocities.com/vsavatar/chglog-2_2_20. tx t.

I'm doing this to spite the DMCA and if they come after me for it then so be it. I'm sure the EFF and other organizations and individuals will be willing to help me out with my legal fees if the feds come after me for it. Since I'm in the US, I may be putting my neck on the line for this, but there are some things worth risking imprisonment for. I'm young and single... I have a lot to lose, but if we can't even post information like this which we as a community have helped put together and support over time, then we have lost more than I can stand to lose.

they waited 2 days too long . . .

[kraada]

because how cool would it have been if kernel 2.2.20 came out on 11.1.01?

Re:they waited 2 days too long . . .

[TomK32]

no, 10.10.10100 would have been much cooler ;-)

bits will never die!

2.2.2 - 2.2.20 Sizing

[SlickMickTrick]

Compare the size of the bz2 files between 2.2.2 and 2.2.20

linux-2.2.2.tar.bz2 10.1M
linux-2.2.20.tar.bz2 15.0M

50% increase in the stable series...

Drivers

[srichman]

Compare the size of the bz2 files between 2.2.2 and 2.2.20 ... 50% increase in the stable series...

I would guess it's mostly drivers. New/updated drivers get added throughout stable series. As you probably know, drivers are by far the majority of the Linux kernel, and the size of the driver code grows much faster than the rest of the kernel.

Didn't 2.2.19.1 fix this?

[Masem]

I believe a day after that possible local user exploit was discovered, in which the 2.4.x series was patched, they released what best could be called an interim 2.2, labeled 2.2.19.1. At least, from debian's info, here's what 2.2.19.1 had (note the high priority for a kernel image:) kernel-source-2.2.19 (2.2.19.1-1) stable unstable; urgency=high

* Removed non-free Keyspan firmware (closes: #113382).
* Fixed suid ptrace exploit (Solar Designer).
* Fixed local symlink DoS (Solar Designer).
* Added support for nm256xl+ (Mattia Monga, closes: #113343).

-- Herbert Xu Sat, 20 Oct 2001 17:39:35 +1000

Re:Didn't 2.2.19.1 fix this?

[germinatoras]

Yes. At SecurityFocus [securityfocus.com], there's a list of vendors that have supplied a patch for the kernel used in their distribution. But for me, (as a Slackware 7.1 user, and therefore a 2.2.16 kernel user), this 2.2.20 is a definite good thing. I had toyed around with the idea of getting the kernel from some other distro and apply that distro vendor's patch. It probably would have been a decent enough solution, but being able to simply upgrade to 2.2.20 is going to be a lot cleaner.

Cryptography

[nick255]

Does anyone know what has happened to the international kernel patch?
I haven't been able to get to kerneli.org for ages, and have been unable to find any info about where the patches now are.

Re:Big Deal! Linux 2.2.20 is out...

[sydneyfong]

and i've yet to see anyone not working for MS who knows they've released a new windows kernel.

Windows is not only a kernel, it's rather similar to a Distribution.

For kernels, you may get a new one when u get a new version of windows, or maybe with Windows Update (yuck), but aside from noticing the system is more stable/faster (or unstable/slower) it isn't really a big deal anyway. Compared to windows, the linux kernel has all the publicity it needs.
And don't forget how many people reads /. everyday...

false

[recursiv]

0 is even too you know

WoW! This is Confusing! Help!

[vbprgrmr]

And not only that! But does the work, changes and 'improvements' being done in the 2.2 tree ever get incorporated in future versions of 2.4.XX or 2.5.XX? And if so does that degrade the stability of earlier versions of 2.4 and 2.5?