Full Disclosure mailing list archives
Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation
From: D-vice <lord.x86 () gmail com>
Date: Thu, 27 Aug 2009 14:57:06 +0200
Wrong list dude On Thu, Aug 27, 2009 at 2:11 PM, morla <morla () cracksucht de> wrote:
dann frazier wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- Debian Security Advisory DSA-1862-1 security () debian org http://www.debian.org/security/ dann frazier Aug 14, 2009 http://www.debian.org/security/faq - ---------------------------------------------------------------------- Package : linux-2.6 Vulnerability : privilege escalation Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-2692 A vulnerability has been discovered in the Linux kernel that may lead to privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problem: CVE-2009-2692 Tavis Ormandy and Julien Tinnes discovered an issue with how the sendpage function is initialized in the proto_ops structure. Local users can exploit this vulnerability to gain elevated privileges. For the stable distribution (lenny), this problem has been fixed in version 2.6.26-17lenny2. For the oldstable distribution (etch), this problem will be fixed in updates to linux-2.6 and linux-2.6.24. We recommend that you upgrade your linux-2.6 and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or "leap-frog" fashion. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packageshey, i think i am missing something over here.... i got lotza debian boxes here that run: $ uname -a Linux srvdeb-1 2.6.26-1-686-bigmem #1 SMP Fri Mar 13 18:52:29 UTC 2009 i686 GNU/Linux when i $ aptitude update ; aptitude safe-upgrade or $ apt-get update ; apt-get upgrade it tells me that im up 2 date. but in this release the bug is still included,.,. i had to install "linux-image-2.6.26-2-686-bigmem" via $ aptitude install linux-image-2.6.26-2-686-bigmem by hand. why is this? and how do i ensure that im not being fooled by aptitude or apt? regards, moe _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation dann frazier (Aug 15)
- Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation morla (Aug 27)
- Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation D-vice (Aug 27)
- Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation Peter Besenbruch (Aug 27)
- Re: [SECURITY] [DSA 1862-1] New Linux 2.6.26 packages fix privilege escalation morla (Aug 27)