Slashdot Mirror
Linux 2.2.20 is Out
piranha(jpl) writes: "I went to download 2.2.x from kernel.org and noticed 2.2.20 is out. I believe this is supposed to fix the security vulnerability found in 2.2.19. Surprised I didn't see it on the main Slashdot page."
← Back to Stories (view on slashdot.org)
2.2.20pre11
o Security fixes
- Quota buffer overrun , possibly locally exploitable (Solar Designer)
- Ptrace race - local root exploit
- Symlink local denial of service attack fix (Rafal Wojtczuk, Solar Designer, Linus Torvalds)
- Sparc exec fixups(Solar Designer)
---
http://slashdot.org/moderation.shtml
This information allows someone to understand a security hole in previous versions of da kernel and exploit it. The copyrighted material is licenced software (GPL, Artistic, whatever).
For example, if you wrote a book and someone was able to get through your firewall due to a published security hole then you would have a legal case against the publisher under the DMCA.
Getting through on a kernel exploit is no different.
Alan Cox is, essentially, making a political statement. Details of the security patch arn't actually illegal in the sense that it has been declared so. However, certain readings of the DMCA *could* be interpreted as meaning that details of a security flaw that allowed unauthorized access to propriatary files, ( and this would include your private "to do" list, which is copyrighted to you at creation), would be a violation.
2 28 1.ENR:
Here is the the relevant section of the code:
`Sec. 1201. Circumvention of copyright protection systems
`(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.
The entire text of the DMCA can be found here:
http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.
Note the term "technological measure." What does this term mean? Well, as it turns out that's a damn good question, one that it has been left to the courts to decide.
So let's say you fire up vi and write a "to do" list. You place it in your home directory. This is now propriatary information, technically copyrighted to you. That "to do" list is now has whatever protections upon it that that you assign the file and your home directory.
So, let's say that only you have any rights to your home directory and the file itself, but someone manages to crack your machine and read the file * using the knowledge gained from reading the patch code and/or details of the hole.*
You see? By assigning restricted permissions to the file you have used "technological measures" to insure its propriatary nature, and thus the security details could be interpreted as publishing a means to defeat that measure.
Noone law enforcment agency has yet stepped forward to claim this interpretation, but there is absolutely no reason * why they couldn't.*
Interestingly enough the Calfornia appellate court has just ruled in the DeCSS case that the injunction against distributing the source code of DeCSS was, indeed, an unconstitutional violation of freedom of speach. Note that the court made a clear and explicit distinction between machine readable compiled binary code and human readable source code. It acknowledged that compiled binaries would have had protection under the DMCA, but that *source code did not.*
This ruling has ramifications throughout the software industry, particularly with regards to OSS. At the moment there is no legal restriction, per se, of *any kind* on distributing source code.
Please make note though that this applies only to issues of *prior restraint.*
This does not mean that all source code can be legally distributed, it means that until an actual *adjudication* is made that said distribution was illegal it cannot be restrained.
A fine distinction of law that could get you out of, or *into*, trouble if you don't understand it properly.
Ah, what tangled webs we weave, when first we practice to make the contents of people's *minds* illegal.
KFG
2.2.x is a very stable kernel series. Alan Cox is in charge, and intentionally being very cautious about making changes. (If it's not broken, don't fix it) That's why it took so long to go from 2.2.19 to 2.2.20.
Sadly, Alan's not planning to take over the 2.4 series. This is sad, as he's done such a good job with 2.2... And 2.4 could use his help.
There was a /. discussion on this a few weeks ago.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Non-US citizens can find the full uncensored changelog at http://www.freeworld.net
. tx t.
For those of you who don't want to have to go through a click-thru agreement I have posted them on
http://www.burger-family.org/chglog-2_2_20.txt
and
http://www.geocities.com/vsavatar/chglog-2_2_20
I'm doing this to spite the DMCA and if they come after me for it then so be it. I'm sure the EFF and other organizations and individuals will be willing to help me out with my legal fees if the feds come after me for it. Since I'm in the US, I may be putting my neck on the line for this, but there are some things worth risking imprisonment for. I'm young and single... I have a lot to lose, but if we can't even post information like this which we as a community have helped put together and support over time, then we have lost more than I can stand to lose.