On Mon, Mar 05, 2001 at 08:36:28AM +0000, stephen@exegesis.org.uk wrote: > > I purposely have a policy of not upgrading software (including the > kernel) unless there is a good reason to do so, either with new > functionality that is required, or for security reasons. I have > no objections to upgrading in this instance, but I was more > concerned that a search on Debians archives did not show this > as a security issue. you will want to upgrade to 2.2.19 when its available since 2.2.18 and below have another security hole (actually two). the first being a race condition that allows suid executables to be ptraced, this is potentially allows for root compromise. the other allows users to read arbitrary memory through a bug in sysctl() (depending on the attackers luck they could potentially grab a password or other sensitive information). both are only locally exploitable. (i know of no exploit for the ptrace race at this time, there is a proof of concept exploit for the sysctl() bug). -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpr__EYmQ9xf.pgp
Description: PGP signature