- -------------------------------------------------------------------------- Debian-Edu/Skolelinux Security Advisory DESA 2004-002 Morten Werner Olsen February 23th, 2004 debian-edu-security@lists.alioth.debian.org - -------------------------------------------------------------------------- Package : kernel-image-2.4.24-1-i386 Vulnerability : missing function return value check Problem-Type : local Need reboot : yes Debian-Edu-specific : no CVE ID : CAN-2004-0077 DSA ID : DSA 438-1 Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to missing function return value check of internal functions a local attacker can gain root privileges. The new kernel packages are fetched directly from Debian's unstable archives, packaged by Herbert Xu. We recommend that you upgrade your kernel packages. These new kernel- packages will also fix the problem in DESA-2004-001. This problem has been fixed in the upstream version 2.4.25 as well. Upgrade Instructions - -------------------- Make sure 'deb ftp://ftp.skolelinux.no/skolelinux/ woody local' is present in your /etc/apt/sources.list and run 'apt-get update' to update your package lists. Find which flavour of the kernel you are running with the command 'uname -r' (examples: 386, 586tsc, 686, 686-smp, k6, k7, k7-smp). To upgrade, run this command replacing <flavour> with yours: apt-get install kernel-image-2.4.24-1-<flavour> If you are unfamiliar with kernel upgrades, please visit our mini-HOWTO on this subject: http://www.skolelinux.no/security/kernel-upgrade - -------------------------------------------------------------------------- For apt-get: deb ftp://ftp.skolelinux.no/skolelinux/ woody local Mailing list: debian-edu@lists.debian.org, linuxiskolen@skolelinux.no Package info: `apt-cache show <pkg>'
Attachment:
signature.asc
Description: Digital signature