I just got the email from SuSE about the Kernel brk() vulnerability. Going through the instructions in the email I see that kernel k_athlon-2.4.21-144.i586.rpm is what I'm supposed to download. About a week ago there was a kernel update that I did with YaST/YOU. It is the same version number as the one listed for the current security announcement. ~>rpm -q k_athlon k_athlon-2.4.21-144 I'm I correct to assume that I'm OK? Is it possible that changes were made to the kernel but the version number didn't change? Cheers, Gary
On Thursday 04 December 2003 09:34, Gary Hodges wrote:
I just got the email from SuSE about the Kernel brk() vulnerability. Going through the instructions in the email I see that kernel
k_athlon-2.4.21-144.i586.rpm
is what I'm supposed to download. About a week ago there was a kernel update that I did with YaST/YOU. It is the same version number as the one listed for the current security announcement.
~>rpm -q k_athlon k_athlon-2.4.21-144
I'm I correct to assume that I'm OK? Is it possible that changes were made to the kernel but the version number didn't change?
Cheers, Gary
Well, 2.4.21-144 is the one. I take it that the fact that you had received an email about the brk() problem suggesting you update to X-144 came after it was already available for dl via YOU. All I can say is that the public announcement of the brk() vulnerability was known about by the kernel devs before the general public. So, in otherwords they are doing what M$ say they are better at... Providing updates in a timely manner. How much more timely does one need!? A problem is found, fixed, made available, then announced - in that order. So I think you fairly safe. By the way the patch from SUSE came with a blurb (in a file) that describes the patch and its changes and then there's always the changelog to check against. Cheers, Curtis.
On Thu, Dec 04, 2003 at 11:21:37AM -0800, Curtis Rey wrote: Content-Description: signed data
On Thursday 04 December 2003 09:34, Gary Hodges wrote:
I just got the email from SuSE about the Kernel brk() vulnerability. Going through the instructions in the email I see that kernel
k_athlon-2.4.21-144.i586.rpm
is what I'm supposed to download. About a week ago there was a kernel update that I did with YaST/YOU. It is the same version number as the one listed for the current security announcement.
~>rpm -q k_athlon k_athlon-2.4.21-144
I'm I correct to assume that I'm OK? Is it possible that changes were made to the kernel but the version number didn't change?
Cheers, Gary
Well, 2.4.21-144 is the one. I take it that the fact that you had received an email about the brk() problem suggesting you update to X-144 came after it was already available for dl via YOU. All I can say is that the public announcement of the brk() vulnerability was known about by the kernel devs before the general public. So, in otherwords they are doing what M$ say they are better at... Providing updates in a timely manner. How much more timely does one need!? A problem is found, fixed, made available, then announced - in that order. So I think you fairly safe. By the way the patch from SUSE came with a blurb (in a file) that describes the patch and its changes and then there's always the changelog to check against.
OK, there is something I don't understand. According to the changelog in -144 kernel, do_brk was fixed Sep. 26: * Fri Sep 26 2003 - mantel@suse.de - check bounds in do_brk The k_deflt package is dated Nov. 14. Announcement came just today and was withhold on a pretext of testing not finished. Did SUSE released untested kernel? I doubt. Then I do not understand the delay with security announcement. Anybody has better understanding of this? Thanks, -Kastus
On Thu, 4 Dec 2003 11:21:37 -0800, Curtis Rey <crey@san.rr.com> wrote:
k_athlon-2.4.21-144
I'm I correct to assume that I'm OK? Is it possible that changes were made to the kernel but the version number didn't change?
Well, 2.4.21-144 is the one.
... well, i frequent many of the COL* newsgroups and in one of them, cant remember, but someone is having a bear of an issue - even though they're getting reports of running -144, there are some logs showing, what, -96 (whatever the previous dot release was). it might be an issue with a module, not sure, since it hasnt been nailed yet anyway, this was specific to the k_athlon update . -- /// Michael J. Tobler: motorcyclist, surfer, skydiver, \\\ \\\ and author: "Inside Linux", "C++ HowTo", "C++ Unleashed" /// I often quote myself; it adds spice to my conversation.
participants (4)
-
Curtis Rey
-
Gary Hodges
-
Kastus
-
mjt