Is Mandrake going to provide a patch for the recent security bug in the kernels provided with its distributions?
According Slashdot: http://slashdot.org/article.pl?sid=01/10/19/141229&mode=nested and to this mail http://www.securityfocus.com/cgi- bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21 from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system. Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information." Important notes for anyone running a multi-user system. It is a local root exploit, that is you must already have logged in on the machine as non-root before using this exploit, in other words the user still needs to have execute privileges on the system they want to root out. In order for this flaw to be exploitable, /usr/bin/newgrp must be setuid root and world-executable. Additionally, newgrp, when run with no arguments, should not prompt for password. RedHat already put out an update [redhat.com]: http://www.redhat.com/support/errata/RHSA-2001-129.html Cheers, Orlin
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
