On Mon, 17 Aug 2009 15:36:57 +0200, Jan de Groot wrote:
On Fri, 2009-08-14 at 13:31 -0600, dann frazier wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA-1862-1secur...@debian.org
http://www.debian.org/security/ dann frazier
Aug 14, 2009http://www.debian.org/security/faq
- --
Package: linux-2.6
Vulnerability : privilege escalation
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-2692
A vulnerability has been discovered in the Linux kernel that may lead
to privilege escalation. The Common Vulnerabilities and Exposures project
identifies the following problem:
CVE-2009-2692
Tavis Ormandy and Julien Tinnes discovered an issue with how the
sendpage function is initialized in the proto_ops structure.
Local users can exploit this vulnerability to gain elevated
privileges.
For the stable distribution (lenny), this problem has been fixed in
version 2.6.26-17lenny2.
There's also a 2.6.26-18 in lenny-proposed-updates which contains some
bugfixes that 2.6.26-17lenny2 doesn't have. The version of this kernel
is higher than this security release, but it doesn't have the security
patch included in this release. What's the future of this kernel in
lenny-proposed-updates, will we see 2.6.26-18lenny1, or will it get
removed?
I don't have problems with downgrading to 2.6.26-17lenny2 for now, but
I can imagine some users need the bugfixes in 2.6.26-18 and are still
affected by this bug.
proposed-updates is not supported by the security team. however,
patches will certainly get applied there at some point before the next
point release; just don't expect that to be done with much urgency. if
you are concerned about security, stick with the core package pool.
mike
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
