3.14.4-100.fc19.gnu

8 files changed, 337 insertions, 85 deletions

diff --git a/freed-ora/current/f19/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch b/freed-ora/current/f19/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
deleted file mode 100644
index 03527a568..000000000
--- a/freed-ora/current/f19/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d1b9785eda70e7638927d294139c6d4796cb7ea6 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Tue, 22 Apr 2014 11:08:16 +0200
-Subject: [PATCH v3] synaptics: Add min/max quirk for ThinkPad Edge E431
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/input/mouse/synaptics.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 7c9f509..93cc8fd 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
- 		.driver_data = (int []){1232, 5710, 1156, 4696},
- 	},
- 	{
-+		/* Lenovo ThinkPad Edge E431 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"),
-+		},
-+		.driver_data = (int []){1024, 5022, 2508, 4832},
-+	},
-+	{
- 		/* Lenovo ThinkPad T431s */
- 		.matches = {
- 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--- 
-1.9.0
-
diff --git a/freed-ora/current/f19/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch b/freed-ora/current/f19/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
new file mode 100644
index 000000000..1aec648f9
--- /dev/null
+++ b/freed-ora/current/f19/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
@@ -0,0 +1,98 @@
+Bugzilla: 1096784
+Upstream-status: 3.15
+
+From 0e1e9b265ec6c9b69ba5443e0d11aaa9a92ded53 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 13 Apr 2014 18:23:33 +0200
+Subject: [PATCH] filter: prevent nla extensions to peek beyond the end of the
+ message
+
+Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3
+
+The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
+for a minimal message length before testing the supplied offset to be
+within the bounds of the message. This allows the subtraction of the nla
+header to underflow and therefore -- as the data type is unsigned --
+allowing far to big offset and length values for the search of the
+netlink attribute.
+
+The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
+also wrong. It has the minuend and subtrahend mixed up, therefore
+calculates a huge length value, allowing to overrun the end of the
+message while looking for the netlink attribute.
+
+The following three BPF snippets will trigger the bugs when attached to
+a UNIX datagram socket and parsing a message with length 1, 2 or 3.
+
+ ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
+ | ld	#0x87654321
+ | ldx	#42
+ | ld	#nla
+ | ret	a
+ `---
+
+ ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
+ | ld	#0x87654321
+ | ldx	#42
+ | ld	#nlan
+ | ret	a
+ `---
+
+ ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
+ | ; (needs a fake netlink header at offset 0)
+ | ld	#0
+ | ldx	#42
+ | ld	#nlan
+ | ret	a
+ `---
+
+Fix the first issue by ensuring the message length fulfills the minimal
+size constrains of a nla header. Fix the second bug by getting the math
+for the remainder calculation right.
+
+Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
+Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/filter.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index ad30d626a5bd..7be35b5fc22f 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -355,6 +355,10 @@ load_b:
+ 
+ 			if (skb_is_nonlinear(skb))
+ 				return 0;
++			
++			if (skb->len < sizeof(struct nlattr))
++				return 0;
++
+ 			if (A > skb->len - sizeof(struct nlattr))
+ 				return 0;
+ 
+@@ -371,11 +375,15 @@ load_b:
+ 
+ 			if (skb_is_nonlinear(skb))
+ 				return 0;
++
++			if (skb->len < sizeof(struct nlattr))
++				return 0;
++
+ 			if (A > skb->len - sizeof(struct nlattr))
+ 				return 0;
+ 
+ 			nla = (struct nlattr *)&skb->data[A];
+-			if (nla->nla_len > A - skb->len)
++			if (nla->nla_len > skb->len - A)
+ 				return 0;
+ 
+ 			nla = nla_find_nested(nla, X);
+-- 
+1.9.0
+
diff --git a/freed-ora/current/f19/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/freed-ora/current/f19/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
new file mode 100644
index 000000000..93fce3d43
--- /dev/null
+++ b/freed-ora/current/f19/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
@@ -0,0 +1,38 @@
+Bugzilla: 1096195
+Upstream-status: 3.15 and queued for stable
+
+From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
+ 	int ret;
+ 
+ 	while (ptr) {
+-		ret = copy_to_user(param, ptr, sizeof(*ptr));
++		struct floppy_raw_cmd cmd = *ptr;
++		cmd.next = NULL;
++		cmd.kernel_data = NULL;
++		ret = copy_to_user(param, &cmd, sizeof(cmd));
+ 		if (ret)
+ 			return -EFAULT;
+ 		param += sizeof(struct floppy_raw_cmd);
diff --git a/freed-ora/current/f19/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/freed-ora/current/f19/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
new file mode 100644
index 000000000..712a9e069
--- /dev/null
+++ b/freed-ora/current/f19/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
@@ -0,0 +1,48 @@
+Bugzilla: 1096195
+Upstream-status: 3.15 and queued for stable
+
+From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3107,10 +3107,11 @@ loop:
+ 		return -ENOMEM;
+ 	*rcmd = ptr;
+ 	ret = copy_from_user(ptr, param, sizeof(*ptr));
+-	if (ret)
+-		return -EFAULT;
+ 	ptr->next = NULL;
+ 	ptr->buffer_length = 0;
++	ptr->kernel_data = NULL;
++	if (ret)
++		return -EFAULT;
+ 	param += sizeof(struct floppy_raw_cmd);
+ 	if (ptr->cmd_count > 33)
+ 			/* the command may now also take up the space
+@@ -3126,7 +3127,6 @@ loop:
+ 	for (i = 0; i < 16; i++)
+ 		ptr->reply[i] = 0;
+ 	ptr->resultcode = 0;
+-	ptr->kernel_data = NULL;
+ 
+ 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ 		if (ptr->length <= 0)
diff --git a/freed-ora/current/f19/jme-fix-dma-unmap-error.patch b/freed-ora/current/f19/jme-fix-dma-unmap-error.patch
new file mode 100644
index 000000000..208447289
--- /dev/null
+++ b/freed-ora/current/f19/jme-fix-dma-unmap-error.patch
@@ -0,0 +1,124 @@
+diff -up ./drivers/net/ethernet/jme.c.orig ./drivers/net/ethernet/jme.c
+--- ./drivers/net/ethernet/jme.c.orig	2014-03-30 23:40:15.000000000 -0400
++++ ./drivers/net/ethernet/jme.c	2014-05-08 12:16:52.701746091 -0400
+@@ -1988,7 +1988,7 @@ jme_alloc_txdesc(struct jme_adapter *jme
+ 	return idx;
+ }
+ 
+-static void
++static int
+ jme_fill_tx_map(struct pci_dev *pdev,
+ 		struct txdesc *txdesc,
+ 		struct jme_buffer_info *txbi,
+@@ -2005,6 +2005,9 @@ jme_fill_tx_map(struct pci_dev *pdev,
+ 				len,
+ 				PCI_DMA_TODEVICE);
+ 
++	if (unlikely(pci_dma_mapping_error(pdev, dmaaddr)))
++		return -EINVAL;
++
+ 	pci_dma_sync_single_for_device(pdev,
+ 				       dmaaddr,
+ 				       len,
+@@ -2021,9 +2024,30 @@ jme_fill_tx_map(struct pci_dev *pdev,
+ 
+ 	txbi->mapping = dmaaddr;
+ 	txbi->len = len;
++	return 0;
+ }
+ 
+-static void
++static void jme_drop_tx_map(struct jme_adapter *jme, int startidx, int endidx)
++{
++	struct jme_ring *txring = &(jme->txring[0]);
++	struct jme_buffer_info *txbi = txring->bufinf, *ctxbi;
++	int mask = jme->tx_ring_mask;
++	int j;
++
++	for (j = startidx ; j < endidx ; ++j) {
++		ctxbi = txbi + ((startidx + j + 2) & (mask));
++		pci_unmap_page(jme->pdev,
++				ctxbi->mapping,
++				ctxbi->len,
++				PCI_DMA_TODEVICE);
++
++				ctxbi->mapping = 0;
++				ctxbi->len = 0;
++	}
++
++}
++
++static int
+ jme_map_tx_skb(struct jme_adapter *jme, struct sk_buff *skb, int idx)
+ {
+ 	struct jme_ring *txring = &(jme->txring[0]);
+@@ -2034,25 +2058,37 @@ jme_map_tx_skb(struct jme_adapter *jme,
+ 	int mask = jme->tx_ring_mask;
+ 	const struct skb_frag_struct *frag;
+ 	u32 len;
++	int ret = 0;
+ 
+ 	for (i = 0 ; i < nr_frags ; ++i) {
+ 		frag = &skb_shinfo(skb)->frags[i];
+ 		ctxdesc = txdesc + ((idx + i + 2) & (mask));
+ 		ctxbi = txbi + ((idx + i + 2) & (mask));
+ 
+-		jme_fill_tx_map(jme->pdev, ctxdesc, ctxbi,
++		ret = jme_fill_tx_map(jme->pdev, ctxdesc, ctxbi,
+ 				skb_frag_page(frag),
+ 				frag->page_offset, skb_frag_size(frag), hidma);
++		if (ret) {
++			jme_drop_tx_map(jme, idx, idx+i);
++			goto out;
++		}
++
+ 	}
+ 
+ 	len = skb_is_nonlinear(skb) ? skb_headlen(skb) : skb->len;
+ 	ctxdesc = txdesc + ((idx + 1) & (mask));
+ 	ctxbi = txbi + ((idx + 1) & (mask));
+-	jme_fill_tx_map(jme->pdev, ctxdesc, ctxbi, virt_to_page(skb->data),
++	ret = jme_fill_tx_map(jme->pdev, ctxdesc, ctxbi, virt_to_page(skb->data),
+ 			offset_in_page(skb->data), len, hidma);
++	if (ret)
++		jme_drop_tx_map(jme, idx, idx+i);
++
++out:
++	return ret;
+ 
+ }
+ 
++
+ static int
+ jme_expand_header(struct jme_adapter *jme, struct sk_buff *skb)
+ {
+@@ -2144,6 +2180,7 @@ jme_fill_tx_desc(struct jme_adapter *jme
+ 	struct txdesc *txdesc;
+ 	struct jme_buffer_info *txbi;
+ 	u8 flags;
++	int ret = 0;
+ 
+ 	txdesc = (struct txdesc *)txring->desc + idx;
+ 	txbi = txring->bufinf + idx;
+@@ -2168,7 +2205,10 @@ jme_fill_tx_desc(struct jme_adapter *jme
+ 	if (jme_tx_tso(skb, &txdesc->desc1.mss, &flags))
+ 		jme_tx_csum(jme, skb, &flags);
+ 	jme_tx_vlan(skb, &txdesc->desc1.vlan, &flags);
+-	jme_map_tx_skb(jme, skb, idx);
++	ret = jme_map_tx_skb(jme, skb, idx);
++	if (ret)
++		return ret;
++
+ 	txdesc->desc1.flags = flags;
+ 	/*
+ 	 * Set tx buffer info after telling NIC to send
+@@ -2240,7 +2280,8 @@ jme_start_xmit(struct sk_buff *skb, stru
+ 		return NETDEV_TX_BUSY;
+ 	}
+ 
+-	jme_fill_tx_desc(jme, skb, idx);
++	if (jme_fill_tx_desc(jme, skb, idx))
++		return NETDEV_TX_BUSY;
+ 
+ 	jwrite32(jme, JME_TXCS, jme->reg_txcs |
+ 				TXCS_SELECT_QUEUE0 |
diff --git a/freed-ora/current/f19/kernel.spec b/freed-ora/current/f19/kernel.spec
index 32dcf3146..31b4b9adb 100644
--- a/freed-ora/current/f19/kernel.spec
+++ b/freed-ora/current/f19/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -778,21 +778,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
 #rhbz 1051748
 Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch
 
-#rhbz 1046495
-Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
-
-#CVE-2014-0155 rhbz 1081589 1085016
-Patch25036: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
-
-#rhbz 1074235
-Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
-
 #CVE-2014-2851 rhbz 1086730 1087420
 Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch
 
-#rhbz 1085582 1085697 1088588
-Patch25060: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
-
 #rhbz 1074710
 Patch25061: mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
 
@@ -811,9 +799,6 @@ Patch25072: HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
 #rhbz 1013466
 Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
 
-#rhbz 1089689
-Patch25066: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
-
 #rhbz 1090746
 Patch25067: ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
 
@@ -832,12 +817,6 @@ Patch25073: net-Start-with-correct-mac_len-in-skb_network_protoc.patch
 #rhbz 1089545
 Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
 
-#rhbz 1082586
-Patch25075: locks-allow-__break_lease-to-sleep-even-when-break_t.patch
-
-#CVE-2014-0196 rhbz 1094232 1094240
-Patch25076: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
-
 #misc input fixes
 Patch25077: 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
 Patch25078: 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
@@ -856,6 +835,12 @@ Patch25084: 3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch
 Patch25085: 4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch
 Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch
 
+#rhbz 1082266
+Patch25087: jme-fix-dma-unmap-error.patch
+
+# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
+Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1579,12 +1564,6 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
 #rhbz 1051748
 ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch
 
-#rhbz 1046495
-ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
-
-#CVE-2014-0155 rhbz 1081589 1085016
-ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
-
 #rhbz 1048314
 ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch
 #rhbz 1089583
@@ -1592,15 +1571,9 @@ ApplyPatch 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch
 #rhbz 1090161
 ApplyPatch HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
 
-#rhbz 1074235
-ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
-
 #CVE-2014-2851 rhbz 1086730 1087420
 ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch
 
-#rhbz 1085582 1085697
-ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
-
 #rhbz 1074710
 ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
 
@@ -1610,9 +1583,6 @@ ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
 #rhbz 1013466
 ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
 
-#rhbz 1089689
-ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
-
 #rhbz 1090746
 ApplyPatch ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
 
@@ -1631,12 +1601,6 @@ ApplyPatch net-Start-with-correct-mac_len-in-skb_network_protoc.patch
 #rhbz 1089545
 ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
 
-#rhbz 1082586
-ApplyPatch locks-allow-__break_lease-to-sleep-even-when-break_t.patch
-
-#CVE-2014-0196 rhbz 1094232 1094240
-ApplyPatch n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
-
 #misc input fixes
 ApplyPatch 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
 ApplyPatch 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
@@ -1655,6 +1619,11 @@ ApplyPatch 3-5-net-Add-variants-of-capable-for-use-on-on-sockets.patch
 ApplyPatch 4-5-net-Add-variants-of-capable-for-use-on-netlink-messages.patch
 ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-messages.patch
 
+#rhbz 1082266
+ApplyPatch jme-fix-dma-unmap-error.patch
+
+# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
+ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2479,7 +2448,22 @@ fi
 # and build.
 
 %changelog
-* Fri May  9 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Tue May 13 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.14.4-gnu.
+
+* Tue May 13 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.4-100
+- Linux v3.14.4
+
+* Mon May 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
+
+* Fri May 09 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-1738 CVE-2014-1737 floppy: priv esclation (rhbz 1094299 1096195)
+
+* Thu May 08 2014 Neil Horman <nhorman@redhat.com> - 3.14.3-101
+- Fix dma unmap error in jme driver (rhbz 1082266)
+
+* Thu May  8 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre Fri May  9
 - GNU Linux-libre 3.14.3-gnu.
 
 * Thu May 08 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.3-100
diff --git a/freed-ora/current/f19/patch-3.13-gnu-3.13.11-gnu.xz.sign b/freed-ora/current/f19/patch-3.13-gnu-3.13.11-gnu.xz.sign
deleted file mode 100644
index bc9199be7..000000000
--- a/freed-ora/current/f19/patch-3.13-gnu-3.13.11-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.22 (GNU/Linux)
-
-iEYEABECAAYFAlNXn20ACgkQvLfPh359R6cwPACcDRoc35NJlGD1bVE4KLjbV3vj
-GhIAn1jBogefEJ+Amv7fvItPZMHSnzxT
-=zWY8
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f19/sources b/freed-ora/current/f19/sources
index 8abf79368..777c34a96 100644
--- a/freed-ora/current/f19/sources
+++ b/freed-ora/current/f19/sources
@@ -1,2 +1,2 @@
 c108ec52eeb2a9b9ddbb8d12496ff25f  linux-libre-3.14-gnu.tar.xz
-92a784cdb150c798e122ac080dc0f455  patch-3.14.3.xz
+116f27cf17c3522716b6678b17516067  patch-3.14.4.xz