On Mon, 2003-12-22 at 18:18, Simon Heywood wrote: > I recently found that one of my Debian machines, a clean woody > installation with a couple of additional packages installed, was > vulnerable to the ptrace() Linux exploit. Now this surprised me, not > least because as soon as I'd done the installation I'd supplied it with > a fairly standard sources.list file and let apt-get grab all the > security updates. > > It turned out that no `kernel-image' package was installed by default, > so the 2.2.20 kernel that was put in place during the installation > process was never upgraded. > > So, two questions: (i) is it generally the case that no kernel-image > package is installed by default, i.e. is this just something I messed > up, and (ii) is this a feature or a bug? > > I discussed this briefly on #debian, and the one person who responded > seemed to think it was a feature. However, given the clean install + > upgrade scenario I've mentioned above, I'm not convinced.... Not only should you be convinced, you should be thankful. The 2.2.20 kernel is not vulnerable to the recent ptrace(). By default NO Kernel is installed except the one you told it to at the beginning of the process. You could have "unstable" running a 2.2.20 kernel. Until you want something different it won't do it for you. -- greg, greg@gregfolkert.net REMEMBER ED CURRY! http://www.iwethey.org/ed_curry
Attachment:
signature.asc
Description: This is a digitally signed message part