[expert] Linux Kernel Bugs in 2.2.0 up to 2.4.10
Is Mandrake going to provide a patch for the recent security bug in the kernels provided with its distributions? According Slashdot: http://slashdot.org/article.pl?sid=01/10/19/141229mode=nested and to this mail http://www.securityfocus.com/cgi- bin/archive.pl?id=1mid=221337start=2001-10-15end=2001-10-21 from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system. Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information. Important notes for anyone running a multi-user system. It is a local root exploit, that is you must already have logged in on the machine as non-root before using this exploit, in other words the user still needs to have execute privileges on the system they want to root out. In order for this flaw to be exploitable, /usr/bin/newgrp must be setuid root and world-executable. Additionally, newgrp, when run with no arguments, should not prompt for password. RedHat already put out an update [redhat.com]: http://www.redhat.com/support/errata/RHSA-2001-129.html Cheers, Orlin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Linux Kernel Bugs in 2.2.0 up to 2.4.10
On Fri Oct 19, 2001 at 04:47:58PM +0200, Orlin Damyanov wrote: Is Mandrake going to provide a patch for the recent security bug in the kernels provided with its distributions? Yes. The problem is that the vulnerability exists in every kernel we have, and we support 7 different versions: 7.1, 7.2, 8.0, 8.1, 8.0/PPC, Corporate 1.0.1, and SNF7.2. That is a lot of kernels to build. RedHat only released an update for their 2.4 kernel... they have yet to release anything for their 2.2 kernels (AFAIK). According Slashdot: http://slashdot.org/article.pl?sid=01/10/19/141229mode=nested and to this mail http://www.securityfocus.com/cgi- bin/archive.pl?id=1mid=221337start=2001-10-15end=2001-10-21 from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system. Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information. Important notes for anyone running a multi-user system. It is a local root exploit, that is you must already have logged in on the machine as non-root before using this exploit, in other words the user still needs to have execute privileges on the system they want to root out. In order for this flaw to be exploitable, /usr/bin/newgrp must be setuid root and world-executable. Additionally, newgrp, when run with no arguments, should not prompt for password. RedHat already put out an update [redhat.com]: http://www.redhat.com/support/errata/RHSA-2001-129.html Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux kernel 2.4.8-26mdk uptime: 2 days 12 hours 21 minutes. PGP signature
Re: [expert] Linux Kernel Bugs in 2.2.0 up to 2.4.10
On Fri, 2001-10-19 at 11:23, Vincent Danen wrote: On Fri Oct 19, 2001 at 04:47:58PM +0200, Orlin Damyanov wrote: Is Mandrake going to provide a patch for the recent security bug in the kernels provided with its distributions? Yes. The problem is that the vulnerability exists in every kernel we have, and we support 7 different versions: 7.1, 7.2, 8.0, 8.1, 8.0/PPC, Corporate 1.0.1, and SNF7.2. That is a lot of kernels to build. RedHat only released an update for their 2.4 kernel... they have yet to release anything for their 2.2 kernels (AFAIK). Their 2.2 update covering the ptrace issue is mentioned on: http://www.redhat.com/support/errata/RHSA-2001-130.html issued on 2001-10-09, updated on 2001-10-16. -- Woody ([EMAIL PROTECTED]) --- Gatewood Green Web Developer http://www.linux.org/ The first stop for Linux info on the Net Email: [EMAIL PROTECTED] --- All opinions expressed by me are my own and not necessarily endorsed by Linux Online, Inc. or Linux Headquarters, Inc. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Linux Kernel Bugs in 2.2.0 up to 2.4.10
On Fri Oct 19, 2001 at 02:57:33PM -0600, Woody Green wrote: Is Mandrake going to provide a patch for the recent security bug in the kernels provided with its distributions? Yes. The problem is that the vulnerability exists in every kernel we have, and we support 7 different versions: 7.1, 7.2, 8.0, 8.1, 8.0/PPC, Corporate 1.0.1, and SNF7.2. That is a lot of kernels to build. RedHat only released an update for their 2.4 kernel... they have yet to release anything for their 2.2 kernels (AFAIK). Their 2.2 update covering the ptrace issue is mentioned on: http://www.redhat.com/support/errata/RHSA-2001-130.html issued on 2001-10-09, updated on 2001-10-16. Ahhh... awesome. Thanks, Woody. -- [EMAIL PROTECTED], OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD - Danen Consulting Serviceswww.danen.net, www.freezer-burn.org - MandrakeSoft, Inc. Security www.linux-mandrake.com Current Linux kernel 2.4.8-26mdk uptime: 2 days 16 hours 50 minutes. PGP signature