On Mon, Mar 05, 2001 at 08:36:28AM +0000, [EMAIL PROTECTED] wrote:
>
> I purposely have a policy of not upgrading software (including the
> kernel) unless there is a good reason to do so, either with new
> functionality that is required, or for security reasons. I have
> no objections to upgrading in this instance, but I was more
> concerned that a search on Debians archives did not show this
> as a security issue.
you will want to upgrade to 2.2.19 when its available since 2.2.18 and
below have another security hole (actually two). the first being a
race condition that allows suid executables to be ptraced, this is
potentially allows for root compromise. the other allows users to
read arbitrary memory through a bug in sysctl() (depending on the
attackers luck they could potentially grab a password or other
sensitive information). both are only locally exploitable. (i know
of no exploit for the ptrace race at this time, there is a proof of
concept exploit for the sysctl() bug).
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
