Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux 2.2.20 is Out

Posted by michael on from the not-brave-enough-for-2.4 dept.

piranha(jpl) writes: "I went to download 2.2.x from kernel.org and noticed 2.2.20 is out. I believe this is supposed to fix the security vulnerability found in 2.2.19. Surprised I didn't see it on the main Slashdot page."

25 of 129 comments (clear)

  1. .20 has been -pre for months by green+pizza · · Score: 2

    How long has 2.2.20 been in -pre state? Almost 8 months?

    At any rate, it's a welcome sight. Several of our servers are still running 2.2, though most get a good dose of kernel.org and apt-get every few days.

  2. Ahhhh by Spy+Hunter · · Score: 3, Funny

    2.2.19 is no number to end a kernel series with. It's so ugly and odd. Doesn't 2.2.20 seem like such a better number? It's even and it's got alliteration. Thank goodness for this bug, or we would have never had a proper end to the 2.2.X series.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
    1. Re:Ahhhh by Tachys · · Score: 2

      Of course we also need 2.0.40 to give the 2.0.x series a proper ending

    2. Re:Ahhhh by efgbr · · Score: 2, Insightful

      dude, that was not a kernel bug.

      the problem is right in front of your monitor.

  3. Finally! by cperciva · · Score: 3, Funny

    This is a Good Thing. It gets tiring after a while to keep on telling people "Well, the 2.4 kernels are in the middle of a VM flamewar so you should probably stay away from them until they settle down... but the latest 2.2 kernel has some icky security holes, so what you need to do is get 2.2.19 and then add these two security patches... hey, where did you go?"

    --
    Tarsnap: Online backups for the truly paranoid
  4. Re:Huh? by Anonymous Coward · · Score: 2, Insightful

    It's not illegal. Alan Cox's joke is getting really tired.

  5. Why? by Bud+Dwyer · · Score: 3, Troll

    Okay, I'm kind of a newbie to Linux. I've been using Linux a little over a month, and I just finished compiling the latest stable 2.4 kernel. Now, tell me again why I'd want to take a step backwards? 2.4 is greater than 2.2.20 according to my math, which means it's better and more recent. So why are they still releasing 2.2? Is there some infighting in the Linux development world or something? Is this type of confusion (releasing 2.2.20 when 2.4 is already out) just one of the costs of the Open Source development methodology? I mean, you never hear about Microsoft releasing Windows 3.12 after Windows 95 is out.

    1. Re:Why? by jjr · · Score: 2, Insightful

      Becuase alot of people still use that kernel version. The nice people they are they like to keep do update even some of the older stuff also since they know some people still like using that kernel version.

    2. Re:Why? by Electrum · · Score: 5, Insightful

      Okay, I'm kind of a newbie to Linux. I've been using Linux a little over a month, and I just finished compiling the latest stable 2.4 kernel. Now, tell me again why I'd want to take a step backwards? 2.4 is greater than 2.2.20 according to my math, which means it's better and more recent. So why are they still releasing 2.2? Is there some infighting in the Linux development world or something? Is this type of confusion (releasing 2.2.20 when 2.4 is already out) just one of the costs of the Open Source development methodology? I mean, you never hear about Microsoft releasing Windows 3.12 after Windows 95 is out.

      Knowing Slashdot moderators, your comment will probably get modded as troll, but I'll answer anyway. Regarding your Windows example, you are incorrect. This is like Microsoft releasing SP6 for NT 4 after Windows 2000 is released. I'm fairly sure SP6 was released afterwards, but if not, they have still released updates to NT 4 after the release of Windows 2000. Just because a product isn't the latest code base doesn't mean it isn't still being used. Many people are still running NT 4, and need updates, like security fixes. There will still be updates to Windows 2000, even though Windows XP is out.

      Even though 2.4 is "stable", it isn't "super stable" yet, and might not be for some time. I would guess that most people running Linux on non SMP production servers are using a 2.2 kernel, simply because it has been tested longer, and known to be stable. Then again, that's why many of us use FreeBSD on our production servers :) At this point, I would use a 2.2 kernel on any product boxes that were going to be running Linux. I've personally had problems with 2.4 on the boxes I use as workstations. For example, 2.4.7 would swap for hours when it ran out of memory. While you'd hope that never happens on a production server, many people can't afford to take that risk.

      The current even numbered kernel, in this case 2.4, is the "stable" kernel, and the one behind it, in this case 2.2, is the "super stable" kernel.

    3. Re:Why? by SnapperHead · · Score: 4, Insightful

      There are tons of installing still using the 2.2 series. For example, my laptop, DNS / DHCP server and firewall. Most of the 1 disk firewall distros currently use the 2.2 series kernel. It will be quite a while before the start moving to 2.4.

      There are also the types of people who won't move there production servers / workstations over to 2.4 becuase of VM issues, and becuase of how long its been around. I am one of those types when it comes to filesystems. My main server is running ext2, it will be at least another 2 years before I think about moving it to ReiserFS or ext3. My workstation is using ext3, becuase the important things (/home) are mounted via NFS.

      Anyway, I could show you my friends work which has over 200 2.2 series machines. Running anything from rh 6.2, to debian 2.2. Just becuase something is newier or has a higher version number, doesn't mean its better.

      --
      until (succeed) try { again(); }
    4. Re:Why? by EvlG · · Score: 2

      Validation is a big concern for any mission-critical computing environment. Most organizations using Linux have validated 2.2 series long ago, and thus have certified it as acceptable for use in their production machines. Those machines can't afford much downtime, so if it works, don't fix it.

      2.4 is still experiencing some evolution. Witness the VM changes lately. A production server running one of the builds with the bad VM would be in real trouble when it thrashed/etc... Thus, 2.4 is probably not validated for a lot of environments.

      2.2 is rock solid at this point. Fix a few security bugs here and there, and you have a super stable kernel. Sure, it might not support all the latest features, and not have the absolute best performance when compared to some of the newer things being done, but for some applications, the stability is the most important goal.

    5. Re:Why? by Fishstick · · Score: 2

      >tell me again why I'd want to take a step backwards?

      You wouldn't. If you haven't taken the step forwards yet to 2.4 (as many probably haven't - not every distribution ships with a 2.4 kernel yet) you would need this.

      There probably are (believe it or not) still many machines running 2.2 for one reason or another, and this version apparently fixes some security issues. Alan wouldn't bother to release a new version of 2.2 if no one still used it, would he?

      I personally still use a 2.2 series kernel on my firewall pc. I just never had a compelling reason to upgrade to 2.4 and my 2.2.19 does everything I need. If 2.2.20 adds some security fixes, then I'll find some time in the next week to compile a new kernel.

      Someday the task of moving this machine to 2.4 will move high enough on my list to do something about it. There's not a whole lot going on in this box, but I haven't found time to research all that would be involved to go from ipchains to iptables, or to figure out if there's anything I'd have to do different to get my VPN masquerading to work again.

      --

      There is much cruelty in the universe, John.
      Yeah, we seem to have the tour map.

  6. Security fixes by VA+Software · · Score: 3, Informative

    2.2.20pre11
    o Security fixes

    - Quota buffer overrun , possibly locally exploitable (Solar Designer)

    - Ptrace race - local root exploit

    - Symlink local denial of service attack fix (Rafal Wojtczuk, Solar Designer, Linus Torvalds)

    - Sparc exec fixups(Solar Designer)

    --

    ---
    http://slashdot.org/moderation.shtml
  7. Re:Huh? by Anonymous Coward · · Score: 3, Informative
    Actually it is illegal to distribute means or information for a copyright circumvention device...

    This information allows someone to understand a security hole in previous versions of da kernel and exploit it. The copyrighted material is licenced software (GPL, Artistic, whatever).

    For example, if you wrote a book and someone was able to get through your firewall due to a published security hole then you would have a legal case against the publisher under the DMCA.

    Getting through on a kernel exploit is no different.

  8. you misunderstand by oni · · Score: 5, Funny

    2.4 is greater than 2.2.20 according to my math, which means it's better and more recent

    no, no, no...
    Linux is a next-generation operating system. The whole thing was planned out by The Creator before even the first line of code was committed to disk. We are in fact on a count down to Linux version 1. That will be the perfect version that will signal the end times . You see, linux started with, IIRC version 5. Each time The Creator completes one stage of the plan, we decrement the version number by one. We are at 2.2 now so as you can see, it wont be long until the end times .

    I'm kind of a newbie to Linux

    Welcome aboard brother.

    Why, I can remember my first experience with linux. I had a version 4.6.2 kernel running on a 386 with only 640K RAM. Ahh... those were the days!

    1. Re:you misunderstand by Anonymous Coward · · Score: 2, Redundant

      dispite what linus thinks, the _REAL_ version of linux is 7.2. Didn't the Creator tell you before? the end times is not as near as you think, brother

  9. they waited 2 days too long . . . by kraada · · Score: 3, Funny

    because how cool would it have been if kernel 2.2.20 came out on 11.1.01?

  10. 2.2.2 - 2.2.20 Sizing by SlickMickTrick · · Score: 2, Interesting

    Compare the size of the bz2 files between 2.2.2 and 2.2.20

    linux-2.2.2.tar.bz2 10.1M
    linux-2.2.20.tar.bz2 15.0M

    50% increase in the stable series...

  11. Re:Huh? by kfg · · Score: 4, Informative

    Alan Cox is, essentially, making a political statement. Details of the security patch arn't actually illegal in the sense that it has been declared so. However, certain readings of the DMCA *could* be interpreted as meaning that details of a security flaw that allowed unauthorized access to propriatary files, ( and this would include your private "to do" list, which is copyrighted to you at creation), would be a violation.

    Here is the the relevant section of the code:

    `Sec. 1201. Circumvention of copyright protection systems

    `(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

    The entire text of the DMCA can be found here:

    http://thomas.loc.gov/cgi-bin/query/z?c105:H.R.2 28 1.ENR:

    Note the term "technological measure." What does this term mean? Well, as it turns out that's a damn good question, one that it has been left to the courts to decide.

    So let's say you fire up vi and write a "to do" list. You place it in your home directory. This is now propriatary information, technically copyrighted to you. That "to do" list is now has whatever protections upon it that that you assign the file and your home directory.

    So, let's say that only you have any rights to your home directory and the file itself, but someone manages to crack your machine and read the file * using the knowledge gained from reading the patch code and/or details of the hole.*

    You see? By assigning restricted permissions to the file you have used "technological measures" to insure its propriatary nature, and thus the security details could be interpreted as publishing a means to defeat that measure.

    Noone law enforcment agency has yet stepped forward to claim this interpretation, but there is absolutely no reason * why they couldn't.*

    Interestingly enough the Calfornia appellate court has just ruled in the DeCSS case that the injunction against distributing the source code of DeCSS was, indeed, an unconstitutional violation of freedom of speach. Note that the court made a clear and explicit distinction between machine readable compiled binary code and human readable source code. It acknowledged that compiled binaries would have had protection under the DMCA, but that *source code did not.*

    This ruling has ramifications throughout the software industry, particularly with regards to OSS. At the moment there is no legal restriction, per se, of *any kind* on distributing source code.

    Please make note though that this applies only to issues of *prior restraint.*

    This does not mean that all source code can be legally distributed, it means that until an actual *adjudication* is made that said distribution was illegal it cannot be restrained.

    A fine distinction of law that could get you out of, or *into*, trouble if you don't understand it properly.

    Ah, what tangled webs we weave, when first we practice to make the contents of people's *minds* illegal.

    KFG

  12. Re:Huh? by technos · · Score: 2

    File permissions *do* protect copyright. If I write code, and stick it on a free server in Finland, and chmod it all to hell so everyone else can't see it's existance, I've taken reasonable technical steps to protect non-disclosure of my IP. Now Joe BlowHax0r comes along, axploits the bug, and *my* reasonable technical effort is screwed. Oh, and the DMCA too.

    --
    .sig: Now legally binding!
  13. Drivers by srichman · · Score: 2
    Compare the size of the bz2 files between 2.2.2 and 2.2.20 ... 50% increase in the stable series...
    I would guess it's mostly drivers. New/updated drivers get added throughout stable series. As you probably know, drivers are by far the majority of the Linux kernel, and the size of the driver code grows much faster than the rest of the kernel.
  14. Didn't 2.2.19.1 fix this? by Masem · · Score: 2

    I believe a day after that possible local user exploit was discovered, in which the 2.4.x series was patched, they released what best could be called an interim 2.2, labeled 2.2.19.1. At least, from debian's info, here's what 2.2.19.1 had (note the high priority for a kernel image:) kernel-source-2.2.19 (2.2.19.1-1) stable unstable; urgency=high

    * Removed non-free Keyspan firmware (closes: #113382).
    * Fixed suid ptrace exploit (Solar Designer).
    * Fixed local symlink DoS (Solar Designer).
    * Added support for nm256xl+ (Mattia Monga, closes: #113343).

    -- Herbert Xu Sat, 20 Oct 2001 17:39:35 +1000

    --
    "Pinky, you've left the lens cap of your mind on again." - P&TB
    "I can see my house from here!" - ST:
  15. Re:The Full Changelog by damiam · · Score: 2, Informative

    There was a /. discussion on this a few weeks ago.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  16. Re:The Full Changelog by dattaway · · Score: 2

    We could tell you, but the NSA would have to kill you.

  17. Re:The Full Changelog by vsavatar · · Score: 4, Informative

    Non-US citizens can find the full uncensored changelog at http://www.freeworld.net

    For those of you who don't want to have to go through a click-thru agreement I have posted them on

    http://www.burger-family.org/chglog-2_2_20.txt

    and

    http://www.geocities.com/vsavatar/chglog-2_2_20. tx t.

    I'm doing this to spite the DMCA and if they come after me for it then so be it. I'm sure the EFF and other organizations and individuals will be willing to help me out with my legal fees if the feds come after me for it. Since I'm in the US, I may be putting my neck on the line for this, but there are some things worth risking imprisonment for. I'm young and single... I have a lot to lose, but if we can't even post information like this which we as a community have helped put together and support over time, then we have lost more than I can stand to lose.