LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The networking hash vulnerability

The networking hash vulnerability

Posted May 22, 2003 11:33 UTC (Thu) by alspnost (subscriber, #2763)
Parent article: The networking hash vulnerability

> The 2.4.21-rc2 and 2.5.69 kernels also contain the fix - but nobody
> should be running important services on either of those.

Well, I don't understand why the former should be unsafe. I would be far happier running on 2.4.21-rc2 than 2.4.20, since it contains this any many other critical fixes, and seems to be much more stable too.

I reckon a 2.4-rc is safe for almost anyone, but I do wish Marcelo would move along and release 2.4.21 at long last....

(Log in to post comments)

The networking hash vulnerability

Posted May 22, 2003 12:09 UTC (Thu) by DaveK (subscriber, #2531) [Link]

A quick check of ftp.kernel.org suggests that 2.4.20 was released on 28th November 2002. ie. almost exactly 6 months ago.
Thus the 2.4.20 kernel is obviously without any security vulnerabilities or other scary data trashing issues, and supports all the latest hardware, otherwise a new release whould have happened by now.
Since it is the latest issue on ftp.kernel.org it is abvious that it is the one that everyone is recommended to download and run, I don't see what all the fuss is about.

2.4.20 not entirely safe

Posted May 22, 2003 13:29 UTC (Thu) by alspnost (subscriber, #2763) [Link]

Not true. 2.4.20 does have some security problems, like the ptrace vulnerability, some possible ext3 filesystem corruption issues, and this latest DoS issue. There's also the fact that it doesn't support lots of recent hardware etc. Anyway, many people _did_ request an accelerated 2.4.21 release when the ptrace flaw was discovered, but it didn't happen. Alan Cox deemed it serious enough to release a new 2.2 kernel.

In the end, people using vendor kernels get the fixes by updating those; hackers who build their own kernels are probably happy running prepatches, or certainly -rc releases. FWIW, I'm with 2.4.21-rc on Gentoo and it's rock solid.

Sarcasm alert

Posted May 22, 2003 19:19 UTC (Thu) by roelofs (subscriber, #2599) [Link]

I'm pretty sure DaveK was employing verbal irony. He's not the only one who wishes Marcelo would get off his thumb and release the 2.4 kernels a little more quickly, at least when there are longstanding security holes to be patched. (And yes, I've resorted to various -pre and -rc kernels because I had to, but at least two of those failed to build and required additional patches.)

Btw, typo alert for Jonathan: "problemis"

Sarcasm alert

Posted May 22, 2003 22:39 UTC (Thu) by alspnost (subscriber, #2763) [Link]

Thanks - yes, I think you're right. My sarcasm detector got switched off in the middle of a busy day at work ;-)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds