Mailinglist Archive: opensuse-security (376 mails)
| < Previous | Next > |
Re: [suse-security] kernel security hole?
- From: Roman Drahtmueller <draht@xxxxxxx>
- Date: Thu, 20 Mar 2003 19:12:00 +0100 (MET)
- Message-id: <Pine.LNX.4.53.0303201910330.24913@xxxxxxxxxxxx>
> >
> > Has this been discussed here already?
>
> Yes, already by several people, and I seriously do not
> understand the silence from SuSE (even given CeBIT as an
> excuse). My short investigation showed that at least SuSE 7.3
> and 8.1 default kernels (2.4.10 and 2.4.19, respectively) are
> vulnerable to this exploit, this is freely available on the web!
>
> And I do not understand statements like:
>
> > FYI, new GRsecurity 1.9.9d solves this problem.
>
> Sure, there's even simpler way - one may just apply Alan Cox's
> patch to his kernel and happily go ahead, but I guess it's
> rather expected that SuSE provides a patched kernel rpms
> combined with usual official security notice... Or am I wrong?
You might be, yes. The complete and correct fix is not there yet. We're
working on it, but be sure we won't publish any kernels that we would have
to correct a week or so later again.
The next announcement in the queue has a temporary workaround in section
2).
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
> > Has this been discussed here already?
>
> Yes, already by several people, and I seriously do not
> understand the silence from SuSE (even given CeBIT as an
> excuse). My short investigation showed that at least SuSE 7.3
> and 8.1 default kernels (2.4.10 and 2.4.19, respectively) are
> vulnerable to this exploit, this is freely available on the web!
>
> And I do not understand statements like:
>
> > FYI, new GRsecurity 1.9.9d solves this problem.
>
> Sure, there's even simpler way - one may just apply Alan Cox's
> patch to his kernel and happily go ahead, but I guess it's
> rather expected that SuSE provides a patched kernel rpms
> combined with usual official security notice... Or am I wrong?
You might be, yes. The complete and correct fix is not there yet. We're
working on it, but be sure we won't publish any kernels that we would have
to correct a week or so later again.
The next announcement in the queue has a temporary workaround in section
2).
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
| < Previous | Next > |