- --------------------------------------------------------------------------
Debian-Edu/Skolelinux Security Advisory DESA 2004-002
Morten Werner Olsen
February 23th, 2004 debian-edu-security@lists.alioth.debian.org
- --------------------------------------------------------------------------
Package : kernel-image-2.4.24-1-i386
Vulnerability : missing function return value check
Problem-Type : local
Need reboot : yes
Debian-Edu-specific : no
CVE ID : CAN-2004-0077
DSA ID : DSA 438-1
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical
security vulnerability in the memory management code of Linux inside
the mremap(2) system call. Due to missing function return value check
of internal functions a local attacker can gain root privileges.
The new kernel packages are fetched directly from Debian's unstable
archives, packaged by Herbert Xu.
We recommend that you upgrade your kernel packages. These new kernel-
packages will also fix the problem in DESA-2004-001. This problem has
been fixed in the upstream version 2.4.25 as well.
Upgrade Instructions
- --------------------
Make sure 'deb ftp://ftp.skolelinux.no/skolelinux/ woody local' is
present in your /etc/apt/sources.list and run 'apt-get update' to
update your package lists.
Find which flavour of the kernel you are running with the command
'uname -r' (examples: 386, 586tsc, 686, 686-smp, k6, k7, k7-smp).
To upgrade, run this command replacing <flavour> with yours:
apt-get install kernel-image-2.4.24-1-<flavour>
If you are unfamiliar with kernel upgrades, please visit our
mini-HOWTO on this subject:
http://www.skolelinux.no/security/kernel-upgrade
- --------------------------------------------------------------------------
For apt-get: deb ftp://ftp.skolelinux.no/skolelinux/ woody local
Mailing list: debian-edu@lists.debian.org, linuxiskolen@skolelinux.no
Package info: `apt-cache show <pkg>'
Attachment:
signature.asc
Description: Digital signature