Huddled Masses

It’s true! [8-O] ... Actually, this is old news, and hopefully all the distributors have released patches allowing you to upgrade to the 2.4.23 version of the kernel (which you should do now, if you haven’t already).

The critical vulnerability in the Linux kernel actually enables an attacker to gain root access (that is, complete control, in case you don’t speak ‘nix) through a flaw in the Linux kernel itself, which means it affects basically every distribution of the operating system previous to 2.4.23 (or 2.5.69 if you’re running that series of the kernel, or 2.6.0-test6 … golly, doncha love how clear everything is in the linux world?).

It involves an integer overflow in the do_brk() code, and I know for sure that redhat and SUSE have released patches, and of course, Debian since it was they who publicized the vulnerability, after someone used it to compromise several of their servers late last month.

Of course, the good news is how openly and quickly this was handled, once they got hacked. The bad news is that they knew about the vulnerability as long ago as September, and had even fixed it in some pre-release code, but they didn’t think it was important until someone used it to hack their production servers.

Comments are closed.