Hi to all,
Well, it's my first post on this list so don't pay attention if this have
already been discuss here.
I've received this Advisory from Mandrake.
It deals with kernels 2.2 and 2.4, and problem with VPN and more.
I wonder if this affects SME 5.x too, and if a update will be needed.
Thanks,
Fabien
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: kernel 2.2 and 2.4
Advisory ID: MDKSA-2002:041
Date: July 4th, 2002
Affected versions: 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1,
Single Network Firewall 7.2
________________________________________________________________________
Problem Description:
A problem was discovered in the CIPE (VPN tunnel) implementation in the
Linux kernel where a malformed packet could cause a crash.
Andrew Griffiths discovered a vulnerability that allows remote machines
to read random memory by utilizing a bug in the ICMP implementation of
Linux kernels. This only affects kernels prior to 2.4.0-test6 and
2.2.18; all Mandrake Linux 2.4 kernels are not vulnerable to this
problem.
Another problem was discovered by the Linux Netfilter team in the IRC
connection tracking component of netfilter in Linux 2.4 kernels. It
consists of a very broad netmask setting which is applied to check if
an IRC DCC connection through a masqueraded firewall should be allowed.
This would lead to unwanted ports being opened on the firewall which
could possibly allow inbound connections depending on the firewall
rules in use.
The 2.2 and 2.4 kernels are also affected by the zlib double-free()
problem as routines from the compression library are used by functions
that uncompress filesystems loaded into ramdisks and other occassions
that are not security-critical. The kernel also uses the compression
library in the PPP layer as well as the freeswan IPSec kernel module.
As well, a number of other non-security fixes are present in these
kernels, including new and enhanced drivers, LSB compliance, and more.
MandrakeSoft encourages all users to upgrade their kernel as soon as
possible to these new 2.2 and 2.4 kernels.
NOTE: This update cannot be accomplished via MandrakeUpdate; it must be
done on the console. This prevents one from upgrading a kernel instead
of installing a new kernel. To upgrade, please ensure that you have
first upgraded iptables, mkinitrd, and initscripts packages if they are
applicable to your platform. Use "rpm -ivh kernel_package" to install
the new kernel. Prior to rebooting, double-check your /etc/lilo.conf,
/boot/grub/menu.lst, or /etc/yaboot.conf (PPC users only) to ensure
that you are able to boot properly into both old and new kernels (this
will allow you to boot into the old kernel if the new kernel does not
work to your liking).
LILO users should execute "/sbin/lilo -v", GRUB users should execute
"sh /boot/grun/install.sh", and PPC users must type "/sbin/ybin -v" to
write the boot record in order to reboot into the new kernel if you
made any changes to the respective boot configuration files.
New kernels for Mandrake Linux 8.1/IA64 will be available shortly.
________________________________________________________________________
References:
________________________________________________________________________
Updated Packages: .............
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
