On Fri, 2009-08-14 at 13:31 -0600, dann frazier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ---------------------------------------------------------------------- > Debian Security Advisory DSA-1862-1 secur...@debian.org > http://www.debian.org/security/ dann frazier > Aug 14, 2009 http://www.debian.org/security/faq > - ---------------------------------------------------------------------- > > Package : linux-2.6 > Vulnerability : privilege escalation > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2009-2692 > > A vulnerability has been discovered in the Linux kernel that may lead > to privilege escalation. The Common Vulnerabilities and Exposures project > identifies the following problem: > > CVE-2009-2692 > > Tavis Ormandy and Julien Tinnes discovered an issue with how the > sendpage function is initialized in the proto_ops structure. > Local users can exploit this vulnerability to gain elevated > privileges. > > For the stable distribution (lenny), this problem has been fixed in > version 2.6.26-17lenny2.
There's also a 2.6.26-18 in lenny-proposed-updates which contains some bugfixes that 2.6.26-17lenny2 doesn't have. The version of this kernel is higher than this security release, but it doesn't have the security patch included in this release. What's the future of this kernel in lenny-proposed-updates, will we see 2.6.26-18lenny1, or will it get removed? I don't have problems with "downgrading" to 2.6.26-17lenny2 for now, but I can imagine some users need the bugfixes in 2.6.26-18 and are still affected by this bug. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org