Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Mon, 17 Aug 2009 10:51:58 -0400
Message-id: <[🔎] 20090817105158.446eb824.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 1250516217.16765.38.camel@jan>
References: <20090814193110.GH13745@ldl.fc.hp.com> <[🔎] 1250516217.16765.38.camel@jan>

On Mon, 17 Aug 2009 15:36:57 +0200, Jan de Groot wrote:
> On Fri, 2009-08-14 at 13:31 -0600, dann frazier wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > - ----------------------------------------------------------------------
> > Debian Security Advisory DSA-1862-1                security@debian.org
> > http://www.debian.org/security/                           dann frazier
> > Aug 14, 2009                        http://www.debian.org/security/faq
> > - ----------------------------------------------------------------------
> > 
> > Package        : linux-2.6
> > Vulnerability  : privilege escalation
> > Problem type   : local
> > Debian-specific: no
> > CVE Id(s)      : CVE-2009-2692
> > 
> > A vulnerability has been discovered in the Linux kernel that may lead
> > to privilege escalation. The Common Vulnerabilities and Exposures project
> > identifies the following problem:
> > 
> > CVE-2009-2692
> > 
> >     Tavis Ormandy and Julien Tinnes discovered an issue with how the
> >     sendpage function is initialized in the proto_ops structure.
> >     Local users can exploit this vulnerability to gain elevated
> >     privileges.
> > 
> > For the stable distribution (lenny), this problem has been fixed in
> > version 2.6.26-17lenny2.
> 
> There's also a 2.6.26-18 in lenny-proposed-updates which contains some
> bugfixes that 2.6.26-17lenny2 doesn't have. The version of this kernel
> is higher than this security release, but it doesn't have the security
> patch included in this release. What's the future of this kernel in
> lenny-proposed-updates, will we see 2.6.26-18lenny1, or will it get
> removed?
> I don't have problems with "downgrading" to 2.6.26-17lenny2 for now, but
> I can imagine some users need the bugfixes in 2.6.26-18 and are still
> affected by this bug.

proposed-updates is not supported by the security team.  however,
patches will certainly get applied there at some point before the next
point release; just don't expect that to be done with much urgency. if
you are concerned about security, stick with the core package pool.

mike

Reply to:

References:
- Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation
  - From: Jan de Groot <jan@jgc.homeip.net>

Prev by Date: Re: [SECURITY] [DSA 1864-1] New Linux 2.6.24 packages fix privilege escalation
Next by Date: Re: Syntax for DSA (was: [SECURITY] [DSA 1865-1] New Linux 2.6.18)
Previous by thread: Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation
Next by thread: testing new kdelibs/kdegraphics packages
Index(es):
- Date
- Thread