kernel 2.4 - two new vulnerabilities [LWN.net]

Package(s): kernel CVE #(s): CAN-2003-0244 CAN-2003-0246

Created: May 14, 2003 Updated: July 25, 2003

Description:

The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.

The ioperm() system call doesn't perform proper checking, allowing a local user to manipulate arbitrary I/O ports.
The networking code contains a remotely exploitable denial of service condition; see the May 24 Security Page for details.

Alerts:

Mandrake	MDKSA-2003:066-2	2003-07-25
Conectiva	CLA-2003:701	2003-07-22
Mandrake	MDKSA-2003:066-1	2003-07-21
Mandrake	MDKSA-2003:074	2003-07-15
Slackware	SSA:2003-168-01	2003-06-17
Mandrake	MDKSA-2003:066	2003-06-11
Debian	DSA-312-1	2003-06-09
Debian	DSA-311-1	2003-06-08
Red Hat	RHSA-2003:187-01	2003-06-03
Red Hat	RHSA-2003:145-01	2003-05-27
EnGarde	ESA-20030515-017	2003-05-15
Red Hat	RHSA-2003:172-00	2003-05-14

(Log in to post comments)

kernel 2.4 - two new vulnerabilities

Posted Jun 6, 2003 0:28 UTC (Fri) by qubes (subscriber, #2562) [Link]

I wish more news sites would talk about this. This is a serious bug, but there doesn't seem to be _any_ push to get a release out that fixes it. (There does seem to be a theme of "use your distrobutions kernel" for fixes.) Now that there are *two* major known flaws in 2.4.20, a quick release of 2.4.21 would be nice (<humor> I'll take my next kernel with no bugs, please.</humor>)

The two major community effort distrobutions will only really get the fix once upsteam authors release: debian, and gentoo.

Thomas

kernel 2.4 - two new vulnerabilities

Posted Jun 12, 2003 18:26 UTC (Thu) by rfunk (subscriber, #4054) [Link]

>The two major community effort distrobutions will only really get the fix once
>upsteam authors release: debian, and gentoo.

I don't know about Gentoo, but Debian distributes kernels with patches, and a
quick glance at the list of distribution updates shows that Debian is on top of
this.