| Descripción: | Summary:
The remote host is missing an update for the 'Kernel' package(s) announced via the SSA:2004-006-01 advisory.
Vulnerability Insight:
New kernels are available for Slackware 9.0, 9.1 and -current.
The 9.1 and -current kernels have been upgraded to 2.4.24, and a
fix has been backported to the 2.4.21 kernels in Slackware 9.0
to fix a bounds-checking problem in the kernel's mremap() call
which could be used by a local attacker to gain root privileges.
Sites should upgrade to the 2.4.24 kernel and kernel modules.
After installing the new kernel, be sure to run 'lilo'.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
[link moved to references]
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Tue Jan 6 15:01:54 PST 2004
patches/kernels/: Upgraded to Linux 2.4.24. This fixes a bounds-checking
problem in the kernel's mremap() call which could be used by a local attacker
to gain root privileges. Sites should upgrade to the 2.4.24 kernel and
kernel modules. After installing the new kernel, be sure to run 'lilo'.
For more details, see:
[link moved to references]
Thanks to Paul Starzetz for finding and researching this issue.
(* Security fix *)
patches/packages/alsa-driver-0.9.8-i486-2.tgz: Recompiled against
linux-2.4.24.
patches/packages/cvs-1.11.11-i486-1.tgz: Upgraded to cvs-1.11.11.
This version enforces greater security. Changes include pserver
refusing to run as root, and logging attempts to exploit the security
hole fixed in 1.11.10 in the syslog.
patches/packages/kernel-ide-2.4.24-i486-1.tgz: Upgraded bare.i kernel
package to Linux 2.4.24.
patches/packages/kernel-modules-2.4.24-i486-1.tgz: Upgraded to Linux
2.4.24 kernel modules.
patches/packages/kernel-source-2.4.24-noarch-2.tgz: Upgraded to Linux
2.4.24 kernel source, with XFS and Speakup patches included (but not
pre-applied). This uses the XFS and Speakup patches for 2.4.23, which
should be fine since 2.4.24 didn't change much code. Proper XFS
patches for 2.4.24 will probably be out soon to fix the one Makefile
rejection for EXTRAVERSION = -xfs, but likely little else will be
different since XFS development has already gone ahead to what is now
the 2.4.25-pre kernel series.
patches/packages/kernel-modules-xfs/alsa-driver-xfs-0.9.8-i486-2.tgz:
Recompiled against linux-2.4.24-xfs.
patches/packages/kernel-modules-xfs/kernel-modules-xfs-2.4.24-i486-1.tgz:
Upgraded to Linux 2.4.24 kernel modules for the xfs.s (XFS patched)
kernel.
+--------------------------+
Affected Software/OS:
'Kernel' package(s) on Slackware 9.0, Slackware 9.1, Slackware current.
Solution:
Please install the updated package(s).
CVSS Score:
7.2
CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C
|
