Willy Tarreau has released a new Linux 2.4 series kernel, 2.4.36.1. It includes fixes for 6 minor security issues, most of them brought by Dann Frazier of the Debian security team. It also restores the ability to build user-space depending on kernel headers with GCC 4.2.
As usual when dealing with security, upgrading is recommended, but there's nothing serious enough to justify a blind rush says Tarreau :
CVE-2008-0007 : insufficient range checks in certain fault handlers
CVE-2007-5093 : DoS in pwc USB video driver
CVE-2007-4308 : missing permission checks in aacraid ioctls
CVE-2006-5753 : memory corruption from misinterpreted bad_inode_ops ret values
CVE-2007-2525 : memory leak when a PPPoE socket is released
CVE-2006-6054 : ext2 denial of service in presence of malformed data structures
BTW, to make it clear to those who are wondering, since some are asking :
there is no vmsplice syscall in 2.4 so the exploit published last week has no effect there, as it is only relevant to 2.6.18+.
The patch and changelog will appear soon at the following locations:
ftp://ftp.all.kernel.org/pub/linux/kernel/v2.4/ ftp://ftp.all.kernel.org/pub/linux/kernel/v2.4/patch-2.4.36.1.bz2 ftp://ftp.all.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.1 Git repository:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-v2.4.36.y.git
http://www.kernel.org/pub/scm/linux/kernel/git/stable/linux-v2.4.36.y.git Git repository through the gitweb interface:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-v2.4.36.y.git<
![[RSS]](/themes/LinuxElectrons/images/rss20.gif)
Copyright © 2003 - 2008 LinuxElectrons™