Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Linux Software

Linux 2.2.20 is Out 129

Posted by michael from the not-brave-enough-for-2.4 dept.
piranha(jpl) writes: "I went to download 2.2.x from kernel.org and noticed 2.2.20 is out. I believe this is supposed to fix the security vulnerability found in 2.2.19. Surprised I didn't see it on the main Slashdot page."
This discussion has been archived. No new comments can be posted.

Linux 2.2.20 is Out More

Linux 2.2.20 is Out

Comments Filter:
  • How long has 2.2.20 been in -pre state? Almost 8 months?

    At any rate, it's a welcome sight. Several of our servers are still running 2.2, though most get a good dose of kernel.org and apt-get every few days.

    • Re:.20 has been -pre for months (Score:1, Informative)

      by Anonymous Coward
      2.2.x is a very stable kernel series. Alan Cox is in charge, and intentionally being very cautious about making changes. (If it's not broken, don't fix it) That's why it took so long to go from 2.2.19 to 2.2.20.

      Sadly, Alan's not planning [kerneltrap.com] to take over the 2.4 series. This is sad, as he's done such a good job with 2.2... And 2.4 could use his help.

  • Ahhhh (Score:3, Funny)

    by Spy Hunter ( 317220 ) on Saturday November 03, 2001 @02:05AM (#2515575) Journal
    2.2.19 is no number to end a kernel series with. It's so ugly and odd. Doesn't 2.2.20 seem like such a better number? It's even and it's got alliteration. Thank goodness for this bug, or we would have never had a proper end to the 2.2.X series.

  • Nice to see... (Score:1, Flamebait)

    by Anonymous Coward
    ...that they still fix bugs in "older" kernels.

    I'm still waiting for a patch for Windows 95 that will make it multiuser.

  • Finally! (Score:3, Funny)

    by cperciva ( 102828 ) on Saturday November 03, 2001 @02:10AM (#2515588) Homepage
    This is a Good Thing. It gets tiring after a while to keep on telling people "Well, the 2.4 kernels are in the middle of a VM flamewar so you should probably stay away from them until they settle down... but the latest 2.2 kernel has some icky security holes, so what you need to do is get 2.2.19 and then add these two security patches... hey, where did you go?"

  • Huh? (Score:1, Insightful)

    by hardave ( 87702 )
    2.2.20pre11
    o Security fixes
    | Details censored in accordance with the US DMCA

    Someone mind telling me why it's illegal to reveal what they fixed??

    • Re:Huh? (Score:1, Funny)

      by Anonymous Coward
      Goddamnit. Im moving under my bed. Maybe the DCMA and RIAA wont get to me there.
      • Hahaha! That was "Informative?" Yeah, it's nice to know where that AC is going to move. Must be Friday night or something. mumblemumbledrunkenmoderatorsmumble

    • Re:Huh? (Score:2, Insightful)

      by Anonymous Coward
      It's not illegal. Alan Cox's joke is getting really tired.
      • that was legal advice from his lawyer. AC is a serious person and has proved that, meanwhile youre nobody and youre acusing him.

    • Re:Huh? (Score:4, Informative)

      by kfg ( 145172 ) on Saturday November 03, 2001 @04:47AM (#2515800)
      Alan Cox is, essentially, making a political statement. Details of the security patch arn't actually illegal in the sense that it has been declared so. However, certain readings of the DMCA *could* be interpreted as meaning that details of a security flaw that allowed unauthorized access to propriatary files, ( and this would include your private "to do" list, which is copyrighted to you at creation), would be a violation.

      Here is the the relevant section of the code:

      `Sec. 1201. Circumvention of copyright protection systems

      `(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

      The entire text of the DMCA can be found here:

      http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2 28 1.ENR:

      Note the term "technological measure." What does this term mean? Well, as it turns out that's a damn good question, one that it has been left to the courts to decide.

      So let's say you fire up vi and write a "to do" list. You place it in your home directory. This is now propriatary information, technically copyrighted to you. That "to do" list is now has whatever protections upon it that that you assign the file and your home directory.

      So, let's say that only you have any rights to your home directory and the file itself, but someone manages to crack your machine and read the file * using the knowledge gained from reading the patch code and/or details of the hole.*

      You see? By assigning restricted permissions to the file you have used "technological measures" to insure its propriatary nature, and thus the security details could be interpreted as publishing a means to defeat that measure.

      Noone law enforcment agency has yet stepped forward to claim this interpretation, but there is absolutely no reason * why they couldn't.*

      Interestingly enough the Calfornia appellate court has just ruled in the DeCSS case that the injunction against distributing the source code of DeCSS was, indeed, an unconstitutional violation of freedom of speach. Note that the court made a clear and explicit distinction between machine readable compiled binary code and human readable source code. It acknowledged that compiled binaries would have had protection under the DMCA, but that *source code did not.*

      This ruling has ramifications throughout the software industry, particularly with regards to OSS. At the moment there is no legal restriction, per se, of *any kind* on distributing source code.

      Please make note though that this applies only to issues of *prior restraint.*

      This does not mean that all source code can be legally distributed, it means that until an actual *adjudication* is made that said distribution was illegal it cannot be restrained.

      A fine distinction of law that could get you out of, or *into*, trouble if you don't understand it properly.

      Ah, what tangled webs we weave, when first we practice to make the contents of people's *minds* illegal.

      KFG

  • Why? (Score:3, Troll)

    by Bud Dwyer ( 527622 ) on Saturday November 03, 2001 @02:19AM (#2515602) Homepage
    Okay, I'm kind of a newbie to Linux. I've been using Linux a little over a month, and I just finished compiling the latest stable 2.4 kernel. Now, tell me again why I'd want to take a step backwards? 2.4 is greater than 2.2.20 according to my math, which means it's better and more recent. So why are they still releasing 2.2? Is there some infighting in the Linux development world or something? Is this type of confusion (releasing 2.2.20 when 2.4 is already out) just one of the costs of the Open Source development methodology? I mean, you never hear about Microsoft releasing Windows 3.12 after Windows 95 is out.

    • Re:Why? (Score:2, Insightful)

      by jjr ( 6873 )
      Becuase alot of people still use that kernel version. The nice people they are they like to keep do update even some of the older stuff also since they know some people still like using that kernel version.

    • Re:Why? (Score:1, Redundant)

      by edwdig ( 47888 )
      If you're running a production server, you only change the kernel if there's a good reason. If you're running 2.2, installing this version is a good idea, as it's only minor (but important) tweaks.

      Personally, I'm going to try it out because the 2.4 series networking doesn't work well at all on my system. Sockets stall after transferring a few hundred kb, which makes any kind of net access a serious pain. But 2.2.19 had problems with my sound card... Maybe, just maybe, there will be a version that likes all my hardware...

    • Re:Why? (Score:5, Insightful)

      by Electrum ( 94638 ) <david@acz.org> on Saturday November 03, 2001 @02:37AM (#2515632) Homepage

      Okay, I'm kind of a newbie to Linux. I've been using Linux a little over a month, and I just finished compiling the latest stable 2.4 kernel. Now, tell me again why I'd want to take a step backwards? 2.4 is greater than 2.2.20 according to my math, which means it's better and more recent. So why are they still releasing 2.2? Is there some infighting in the Linux development world or something? Is this type of confusion (releasing 2.2.20 when 2.4 is already out) just one of the costs of the Open Source development methodology? I mean, you never hear about Microsoft releasing Windows 3.12 after Windows 95 is out.

      Knowing Slashdot moderators, your comment will probably get modded as troll, but I'll answer anyway. Regarding your Windows example, you are incorrect. This is like Microsoft releasing SP6 for NT 4 after Windows 2000 is released. I'm fairly sure SP6 was released afterwards, but if not, they have still released updates to NT 4 after the release of Windows 2000. Just because a product isn't the latest code base doesn't mean it isn't still being used. Many people are still running NT 4, and need updates, like security fixes. There will still be updates to Windows 2000, even though Windows XP is out.

      Even though 2.4 is "stable", it isn't "super stable" yet, and might not be for some time. I would guess that most people running Linux on non SMP production servers are using a 2.2 kernel, simply because it has been tested longer, and known to be stable. Then again, that's why many of us use FreeBSD on our production servers :) At this point, I would use a 2.2 kernel on any product boxes that were going to be running Linux. I've personally had problems with 2.4 on the boxes I use as workstations. For example, 2.4.7 would swap for hours when it ran out of memory. While you'd hope that never happens on a production server, many people can't afford to take that risk.

      The current even numbered kernel, in this case 2.4, is the "stable" kernel, and the one behind it, in this case 2.2, is the "super stable" kernel.

      • Actually, plenty of vendors upgrade/patch older
        versions even though new versions are out. Just a week or two ago MS released a new security patch for Windows 95. By any reasonable versioning standards, this does indeed change the version of the windows OS I sometimes run since a version should uniquely identify the configuration.

        So, whether or not the parent of this message was indented to be a troll or a genuine question it still based on incorrect assumptions.

      • Knowing Slashdot moderators, your comment will probably get modded as troll...

        That's because he is a troll. Try reading his posting history.

        So yeah... YHBT. HAND.

    • you misunderstand (Score:5, Funny)

      by oni ( 41625 ) on Saturday November 03, 2001 @02:38AM (#2515634) Homepage
      2.4 is greater than 2.2.20 according to my math, which means it's better and more recent

      no, no, no...
      Linux is a next-generation operating system. The whole thing was planned out by The Creator before even the first line of code was committed to disk. We are in fact on a count down to Linux version 1. That will be the perfect version that will signal the end times . You see, linux started with, IIRC version 5. Each time The Creator completes one stage of the plan, we decrement the version number by one. We are at 2.2 now so as you can see, it wont be long until the end times .

      I'm kind of a newbie to Linux

      Welcome aboard brother.

      Why, I can remember my first experience with linux. I had a version 4.6.2 kernel running on a 386 with only 640K RAM. Ahh... those were the days!

      • Re:you misunderstand (Score:2, Redundant)

        by Anonymous Coward
        dispite what linus thinks, the _REAL_ version of linux is 7.2. Didn't the Creator tell you before? the end times is not as near as you think, brother

    • Re:Why? (Score:4, Insightful)

      by SnapperHead ( 178050 ) on Saturday November 03, 2001 @03:04AM (#2515673) Homepage Journal
      There are tons of installing still using the 2.2 series. For example, my laptop, DNS / DHCP server and firewall. Most of the 1 disk firewall distros currently use the 2.2 series kernel. It will be quite a while before the start moving to 2.4.

      There are also the types of people who won't move there production servers / workstations over to 2.4 becuase of VM issues, and becuase of how long its been around. I am one of those types when it comes to filesystems. My main server is running ext2, it will be at least another 2 years before I think about moving it to ReiserFS or ext3. My workstation is using ext3, becuase the important things (/home) are mounted via NFS.

      Anyway, I could show you my friends work which has over 200 2.2 series machines. Running anything from rh 6.2, to debian 2.2. Just becuase something is newier or has a higher version number, doesn't mean its better.

      • i can see how a "one disk" (meaning floppy hopefully) distro would be limited to 2.2 since from what i recall, 2.4 requires more memory/space, but isn't 2.4 better suited for firewalling? i don't think 2.2 support iptables and all it's glory. statefull firewalls are a good thing.
    • although 2.4 is considered the even numbered stable kernel, the potato distro of, say, debian, still comes with the 2.2 kernel, and probably will for some time. The 2.4 kernel is in the woody distro, and still considered testing. so, if yuo buy a set of debian CDs, they will contain 2.2 until testing becomes stable.

    • Re:Why? (Score:2)

      by EvlG ( 24576 )
      Validation is a big concern for any mission-critical computing environment. Most organizations using Linux have validated 2.2 series long ago, and thus have certified it as acceptable for use in their production machines. Those machines can't afford much downtime, so if it works, don't fix it.

      2.4 is still experiencing some evolution. Witness the VM changes lately. A production server running one of the builds with the bad VM would be in real trouble when it thrashed/etc... Thus, 2.4 is probably not validated for a lot of environments.

      2.2 is rock solid at this point. Fix a few security bugs here and there, and you have a super stable kernel. Sure, it might not support all the latest features, and not have the absolute best performance when compared to some of the newer things being done, but for some applications, the stability is the most important goal.
    • >tell me again why I'd want to take a step backwards?

      You wouldn't. If you haven't taken the step forwards yet to 2.4 (as many probably haven't - not every distribution ships with a 2.4 kernel yet) you would need this.

      There probably are (believe it or not) still many machines running 2.2 for one reason or another, and this version apparently fixes some security issues. Alan wouldn't bother to release a new version of 2.2 if no one still used it, would he?

      I personally still use a 2.2 series kernel on my firewall pc. I just never had a compelling reason to upgrade to 2.4 and my 2.2.19 does everything I need. If 2.2.20 adds some security fixes, then I'll find some time in the next week to compile a new kernel.

      Someday the task of moving this machine to 2.4 will move high enough on my list to do something about it. There's not a whole lot going on in this box, but I haven't found time to research all that would be involved to go from ipchains to iptables, or to figure out if there's anything I'd have to do different to get my VPN masquerading to work again.
  • As my sole 2.2 machine is running Mandrake w/ ReiserFS, I can't grab it quite yet for my firewall. Keep an eye on their ftp site [namesys.com] for the imminent 2.2 patch, and enjoy.

  • Security fixes (Score:3, Informative)

    by VA Software ( 533136 ) on Saturday November 03, 2001 @02:24AM (#2515611) Homepage
    2.2.20pre11
    o Security fixes

    - Quota buffer overrun , possibly locally exploitable (Solar Designer)

    - Ptrace race - local root exploit

    - Symlink local denial of service attack fix (Rafal Wojtczuk, Solar Designer, Linus Torvalds)

    - Sparc exec fixups(Solar Designer)

  • they waited 2 days too long . . . (Score:3, Funny)

    by kraada ( 300650 ) on Saturday November 03, 2001 @02:43AM (#2515645)
    because how cool would it have been if kernel 2.2.20 came out on 11.1.01?
  • Compare the size of the bz2 files between 2.2.2 and 2.2.20

    linux-2.2.2.tar.bz2 10.1M
    linux-2.2.20.tar.bz2 15.0M

    50% increase in the stable series...
    • Compare the size of the bz2 files between 2.2.2 and 2.2.20 ... 50% increase in the stable series...
      I would guess it's mostly drivers. New/updated drivers get added throughout stable series. As you probably know, drivers are by far the majority of the Linux kernel, and the size of the driver code grows much faster than the rest of the kernel.
  • I believe a day after that possible local user exploit was discovered, in which the 2.4.x series was patched, they released what best could be called an interim 2.2, labeled 2.2.19.1. At least, from debian's info, here's what 2.2.19.1 had (note the high priority for a kernel image:) kernel-source-2.2.19 (2.2.19.1-1) stable unstable; urgency=high

    * Removed non-free Keyspan firmware (closes: #113382).
    * Fixed suid ptrace exploit (Solar Designer).
    * Fixed local symlink DoS (Solar Designer).
    * Added support for nm256xl+ (Mattia Monga, closes: #113343).

    -- Herbert Xu Sat, 20 Oct 2001 17:39:35 +1000
    • Yes. At SecurityFocus [securityfocus.com], there's a list of vendors that have supplied a patch for the kernel used in their distribution. But for me, (as a Slackware 7.1 user, and therefore a 2.2.16 kernel user), this 2.2.20 is a definite good thing. I had toyed around with the idea of getting the kernel from some other distro and apply that distro vendor's patch. It probably would have been a decent enough solution, but being able to simply upgrade to 2.2.20 is going to be a lot cleaner.
  • Does anyone know what has happened to the international kernel patch?
    I haven't been able to get to kerneli.org for ages, and have been unable to find any info about where the patches now are.

Slashdot Top Deals

What good is a ticket to the good life, if you can't find the entrance?

Close