fwd: Debian security fix.
Collins Richey
erichey2
Mon May 17 11:56:19 PDT 2004
On Mon, 01 Dec 2003 13:07:37 -0800 Ken Moffat <kmoffat at drizzle.com> wrote:
> FYI
>
> Forwarded info from debian security list:
> Package : kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386,
> kernel-source-2.4.18 Vulnerability : userland can access full kernel memory
>
> Study of the exploit by the RedHat and SuSE kernel and security teams quickly
> revealed that the exploit used an integer overflow in the brk system call.
> Using this bug it is possible for a userland program to trick the kernel into
> giving access to the full kernel address space. This problem was found
> in September by Andrew Morton, but unfortunately that was too late for
!!!!!!!!!!!!
> the 2.4.22 kernel release.
>
> This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and
> 2.6.0-test6 kernel tree. For Debian it has been fixed in version
> 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386
> kernel images and version 2.4.18-11 of the alpha kernel images.
>
Just curious. This vulnerability and fix goes back a ways. I've been at
2.6.0-test6 or above(now-test8) for a long time now, and 2.4.18 seems to be a
little long in the tooth for a critical server. Is this yet another example of
Debian liking well aged software and suffering the consequences?
--
Collins Richey - Denver Area
if you fill your heart with regrets of yesterday and the
worries of tomorrow, you have no today to be thankful for.
More information about the Linux-users
mailing list