Where are the kernel updates? [LWN.net]

On April 5, Florian Weimer sent a note to the linux-kernel mailing list describing a hashing vulnerability in the 2.4 kernel. His assessment:

It is possible to freeze machines with 1 GB of RAM and more with a stream of 400 packets per second with carefully chosen source addresses. Not good.

This problem was also described on this page last week.

We are, in other words, going on two months since this vulnerability was publicly disclosed. A quick look at the LWN Vulnerability Database entry for this problem, however, shows that only two distributors (EnGarde and Red Hat) have updated their kernels to close this hole. So all of the other distributors, many of which have a very good history of quick response to security problems, are leaving their users exposed on this one.

This vulnerability may seem less urgent because it cannot be used to gain root access to a target machine. It can, however, be used to take a system off the net. It allows a remote attacker to obtain the results of a distributed denial of service attack without that attacker having to arrange the "distributed" part. It is a serious problem which will certainly be exploited, with unpleasant results. The distributors owe their users a fix.

(Log in to post comments)

Where are the kernel updates?

Posted May 29, 2003 1:23 UTC (Thu) by arcticwolf (guest, #8341) [Link]

SuSE's latest announcement at least (for glibc) does not list this in the "pending vulnerabilities, solutions, workarounds" section; maybe they aren't vulnerable at all to this, but that's just speculation, of course, and even in that case, a note stating just that would be nice.

Where are the kernel updates?

Posted May 29, 2003 2:13 UTC (Thu) by grantma (subscriber, #5225) [Link]

Debian have already released a fix in the lateset kernel source for 2.4.20 in testing and unstable.

Where are the kernel updates?

Posted May 29, 2003 7:55 UTC (Thu) by mh (subscriber, #7058) [Link]

Debian requires over 100 packages to be fixed and recompiled in order to make their releases. (kernel images and module packages for many architectures). To do this properly does take a long time. The security team are working on it.
People are also looking into modifying the kernel package build scripts so that this can all be done a lot easier for future Debian releases.

Mandrake: An updated kernel in MandrakeClub

Posted May 29, 2003 8:07 UTC (Thu) by odaf (guest, #5069) [Link]

It seems that Daniel Tholen has released an updated kernel with ACL support (missing in mdk 9.1) and with security fixes today in Mandrake Club.

It's not an Mandrake Soft official release, but it comes from a well respected Mandrake Linux developer.

The package is in testing status so it's is intended only to club members. I'll encourage to become a member to every mandrake linux user that can afford to it. ;-)

Even RH only has updates for the "cheap" distros

Posted May 29, 2003 9:17 UTC (Thu) by hch (guest, #5625) [Link]

RH AS and all the non-x86 version still don't have an update
either yet. And all ia64 versions still don't even have an update
for the ptrace vs kmod issue (and I contacted them ages ago, then posted
to bugtraq..) Looks like they want to be coparable to commercial UNIX
variants in all ways.