Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Kernel Bugs

Posted by michael on from the patching-time dept.

Armin Herbert writes: "According to this mail from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system. Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information." Important notes for anyone running a multi-user system. Update: 10/19 16:12 GMT by J : If I'm reading Nergal's writeup correctly, 2.4.10 is still vulnerable to the local DoS, but not to the local root exploit. Separate issues. And as pheared points out, there is one unverified report of a custom 2.4.12 being vulnerable as well; please try the exploit on your system and let us know what you find. This is a big one, you can expect the kiddies have already added this to their rootkits. Update your systems now!

5 of 307 comments (clear)

  1. Where's the Gartner Group? by NineNine · · Score: 1, Troll

    Well, where's the Gartner Group proclaiming that people should immediately switch from Linux to another platform?

  2. How refreshing ! by sh0rtie · · Score: 0, Troll


    I bet the Linux mob still say its Microsofts fault cos they where playing Max Payne on their win2k box while their linux boxes where rooted !

  3. well... Duh... by bflong · · Score: 1, Troll

    The mail reads:

    In order for this flaw to be exploitable, /usr/bin/newgrp must be
    setuid root and world-executable. Additionally, newgrp, when run with no
    arguments, should not prompt for password.
    Well, Duh!
    World Exec + Suid == bad
    This is a distribution bug, not a kernel one. You should not have world exec programs set suid, especialy on a system that you expect to be completely secure.

    --
    Why is it so hot? Where am I going? What am I doing in this handbasket?
  4. Newsflash (in an alternate universe) by Dimensio · · Score: 1, Troll

    Linus Torvalds, creator of the Linux operating system, commented today on the newly discovered root-exploit present in the operating system since version 2.2.0 of the software imploring bug tracker teams not to release such information to the public.

    "Security companies have a responsibility to protect the public", said a visibly upset Linux, "and releasing information such as this practically gives out blueprints for weapons to attack private systems." He went on to say that "System administrators shouldn't have to worry about whether or not their box could be rooted out from an end user's explot script or even a third party exploiting a hole in a remote service." He called the notion of letting people know about potential vulnerabilities, "Wholly irresponsible" and referred to the demonstration of example scripts for exposing and exploiting such vulnerabilities "dangerous and destructive."

    Linus finally called upon security companies to "excercise self-restraint" on issues of security flaws.
    "We're working with Microsoft", he stated, "to help develop an industry-wide standard. We will keep our systems secure, even if we have to classify every insecurity and vulnerability as copyrighted material and prosecute reporters under the DMCA to do it."

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  5. Re:microsoft :P by SiliconJesus · · Score: 1, Troll

    one link... Here l0phtcrack. Cracking windows passwords for years.

    --
    Clinton made me a Republican. Bush made me a Libertarian. Trump is making me question reality.