Geoff Thurman (<email@example.com>) wrote:
> Is it possible for the unwitting to install a kernel-image downloaded
> from official debian sources that hasn't been patched for the recent
> exploit, or can all the currently downloadable images (and kernel
> source packages too, for that matter) be taken to be safe from it?
> switched to woody, and have today installed image-2-4-18-k6 #1, dated
> Apr 14 2002. Clearly the date suggests no patch has been applied, so
> is this kernel vulnerable to the exploit, please, or does it not arise
> in this branch?
Your Kernel is vulnerable. When the ptrace bug was fixed, the packages
became incompatible to modules compiled for older versions, and they
were renamed. Install kernel-image-2.4.18-1-k6 from
security.debian.org. The current version from ftp.debian.org (Woody r2)
does /not/ fix all vulnerabilities (I even think it is still the same
one as in Woody r1 because newer packages were rejected from r2 for
Registered Linux User #267976