On Fri Oct 19, 2001 at 04:47:58PM +0200, Orlin Damyanov wrote:
> Is Mandrake going to provide a patch for the recent security bug in the
> kernels provided with its distributions?
Yes. The problem is that the vulnerability exists in every kernel we
have, and we support 7 different versions: 7.1, 7.2, 8.0, 8.1,
8.0/PPC, Corporate 1.0.1, and SNF7.2. That is a lot of kernels to
build. RedHat only released an update for their 2.4 kernel... they
have yet to release anything for their 2.2 kernels (AFAIK).
> According Slashdot:
> http://slashdot.org/article.pl?sid=01/10/19/141229&mode=nested
> and to this mail
> http://www.securityfocus.com/cgi-
> bin/archive.pl?id=1&mid=221337&start=2001-10-15&end=2001-10-21
> from Rafal Wojtczuk and a german article on Heise Online, there's a new
> severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows
> users to become root on your system. Kernel 2.4.12 fixes this problem,
> and RedHat, Caldera and other distributors already supply patches for
> their Kernels. See Bugtraq for more information." Important notes for
> anyone running a multi-user system.
>
> It is a local root exploit, that is you must already have logged in on
> the machine as non-root before using this exploit, in other words the
> user still needs to have execute privileges on the system they want to
> root out.
>
> In order for this flaw to be exploitable, /usr/bin/newgrp must be setuid
> root and world-executable. Additionally, newgrp, when run with no
> arguments, should not prompt for password.
>
>
> RedHat already put out an update [redhat.com]:
>
> http://www.redhat.com/support/errata/RHSA-2001-129.html
>
>
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
--
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
- Danen Consulting Services www.danen.net, www.freezer-burn.org
- MandrakeSoft, Inc. Security www.linux-mandrake.com
Current Linux kernel 2.4.8-26mdk uptime: 2 days 12 hours 21 minutes.
PGP signature
