If it weren't for the vulnerabilities being around for MORE THAN SIX MONTHS, I would not have an issue. Personally I prefer to know ASAP of any vulnerability and have a possible workaround if a patch cannot be immediately released. I would think MS with its $53 billion in the bank ($51 billion now that they have paid Sun $2B), and many more resources than the FreeBSD, Linux and OpenBSD community that they would be able to release patches immediately instead of six months later.
-----Original Message----- From: Exibar [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 9:05 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us a bridge now too? Looks like Linux Math is just as bad as Microsoft math now huh? What happened to one patch for one vulnerability? Looks like there is 5 in this one...... ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 14, 2004 10:52 AM Subject: [Full-Disclosure] [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc) > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ -- > Debian Security Advisory DSA 479-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > April 14th, 2004 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ -- > > Package : kernel-source-2.4.18 kernel-image-2.4.18-1-alpha kernel-image-2.4.18-1-i386 kernel-image-2.4.18-i386bf kernel-patch-2.4.18-powerpc > Vulnerability : several vulnerabilities > Problem-Type : local > Debian-specific: no > CVE ID : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178 > > Several serious problems have been discovered in the Linux kernel. > This update takes care of Linux 2.4.18 for the alpha, i386 and powerpc > architectures. The Common Vulnerabilities and Exposures project > identifies the following problems that will be fixed with this update: > > CAN-2004-0003 > > A vulnerability has been discovered in the R128 drive in the Linux > kernel which could potentially lead an attacker to gain > unauthorised privileges. Alan Cox and Thomas Biege developed a > correction for this > > CAN-2004-0010 > > Arjan van de Ven discovered a stack-based buffer overflow in the > ncp_lookup function for ncpfs in the Linux kernel, which could > lead an attacker to gain unauthorised privileges. Petr Vandrovec > developed a correction for this. > > CAN-2004-0109 > > zen-parse discovered a buffer overflow vulnerability in the > ISO9660 filesystem component of Linux kernel which could be abused > by an attacker to gain unauthorised root access. Sebastian > Krahmer and Ernie Petrides developed a correction for this. > > CAN-2004-0177 > > Solar Designer discovered an information leak in the ext3 code of > Linux. In a worst case an attacker could read sensitive data such > as cryptographic keys which would otherwise never hit disk media. > Theodore Ts'o developed a correction for this. > > CAN-2004-0178 > > Andreas Kies discovered a denial of service condition in the Sound > Blaster driver in Linux. He also developed a correction. > > These problems will also be fixed by upstream in Linux 2.4.26 and > future versions of 2.6. > > The following security matrix explains which kernel versions for which > architecture are already fixed. Kernel images in the unstable Debian > distribution (sid) will be fixed soon. > > Architecture stable (woody) unstable (sid) removed in sid > source 2.4.18-14.3 2.4.25-3 -- > alpha 2.4.18-15 soon -- > i386 2.4.18-13 soon -- > i386bf 2.4.18-5woody8 soon -- > powerpc 2.4.18-1woody5 2.4.25-8 2.4.22 > > We recommend that you upgrade your kernel packages immediately, either > with a Debian provided kernel or with a self compiled one. > > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 3.0 alias woody > - -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s ource-2.4.18_2.4.18-14.3.dsc > Size/MD5 checksum: 664 a9d96cc8553c3a9085bad09e071c5814 > http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s ource-2.4.18_2.4.18-14.3.diff.gz > Size/MD5 checksum: 70724 4de077af92c196a6af7797d1ceea4004 > http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s ource-2.4.18_2.4.18.orig.tar.gz > Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2 > > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-image-2.4.18-1-alpha_2.4.18-15.dsc > Size/MD5 checksum: 876 453a2a47eb3c6b748e75e0cb65bdd6bb > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-image-2.4.18-1-alpha_2.4.18-15.tar.gz > Size/MD5 checksum: 24922 f822e7999659ddcfd53dee73894afdc1 > > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-i386_2.4.18-13.dsc > Size/MD5 checksum: 1327 d37593f6e47c2b9809530eb54deeae3e > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-i386_2.4.18-13.tar.gz > Size/MD5 checksum: 70213 c795ba781adbd8a19202d8d986a3d0da > > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke rnel-image-2.4.18-i386bf_2.4.18-5woody8.dsc > Size/MD5 checksum: 656 278af48a357187864c52382eeb13451d > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke rnel-image-2.4.18-i386bf_2.4.18-5woody8.tar.gz > Size/MD5 checksum: 26780 1f0c2eba8d3d90eef1a183f6b27f1fff > > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-patch-2.4.18-powerpc_2.4.18-1woody5.dsc > Size/MD5 checksum: 713 77511f3afefed1dd71c1f73e2e036000 > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-patch-2.4.18-powerpc_2.4.18-1woody5.tar.gz > Size/MD5 checksum: 79970 2720d9864cdd05bfc6b3bd7228ca9083 > > Architecture independent components: > > http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-d oc-2.4.18_2.4.18-14.3_all.deb > Size/MD5 checksum: 1720106 f25772ce2d398adc25509a1ae040c76f > http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s ource-2.4.18_2.4.18-14.3_all.deb > Size/MD5 checksum: 24138244 d63666d64cb91f59f2feded30ef8ea70 > > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-patch-2.4.18-powerpc_2.4.18-1woody5_all.deb > Size/MD5 checksum: 79722 d822eaa6adcdd517d600d62c819db7b6 > > Alpha architecture: > > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-headers-2.4.18-1_2.4.18-15_alpha.deb > Size/MD5 checksum: 3363486 862f6e8f85737dd13c6ca9b760384f1a > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-headers-2.4.18-1-generic_2.4.18-15_alpha.deb > Size/MD5 checksum: 3512910 935ef424b222d336a642b2e7cd291e4a > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-headers-2.4.18-1-smp_2.4.18-15_alpha.deb > Size/MD5 checksum: 3515528 6ef19a362ec019e79fdb057fea1c9fc2 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-image-2.4.18-1-generic_2.4.18-15_alpha.deb > Size/MD5 checksum: 12424690 725ff255cf8941cfb5c77581d8a518d4 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k ernel-image-2.4.18-1-smp_2.4.18-15_alpha.deb > Size/MD5 checksum: 12801130 8d15f05215223ffcf9b11b3f682667d3 > > Intel IA-32 architecture: > > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1_2.4.18-13_i386.deb > Size/MD5 checksum: 3429534 1aac0648c6f5fdee84721799806ef07a > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1-386_2.4.18-13_i386.deb > Size/MD5 checksum: 3446290 a13776eb95c3661696f86e06a6dbac48 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1-586tsc_2.4.18-13_i386.deb > Size/MD5 checksum: 3446482 233230438756120878a4e4b96876e61b > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1-686_2.4.18-13_i386.deb > Size/MD5 checksum: 3446444 b5f8437bfd3279ed3f4b2f63fc2d75f5 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1-686-smp_2.4.18-13_i386.deb > Size/MD5 checksum: 3446458 6dbbfba03667156316b184bd939d21e2 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1-k6_2.4.18-13_i386.deb > Size/MD5 checksum: 3446350 ff76c153c3eb285b1f7b035223bc1e39 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-headers-2.4.18-1-k7_2.4.18-13_i386.deb > Size/MD5 checksum: 3446324 dc2a142c75db787fdeb8a0c8e8941d1a > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-386_2.4.18-13_i386.deb > Size/MD5 checksum: 1154336 96f1e8262a5b11a8498d70643e87f546 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-586tsc_2.4.18-13_i386.deb > Size/MD5 checksum: 1154362 8b4bc947b6ab39a2deb0731f891889f3 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-686_2.4.18-13_i386.deb > Size/MD5 checksum: 1154358 a6e7db160b30f90711be11260128a6bb > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-686-smp_2.4.18-13_i386.deb > Size/MD5 checksum: 1154414 cde845ca2c7b351ce79b66965a04a748 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-k6_2.4.18-13_i386.deb > Size/MD5 checksum: 1154338 407aa3a3a95aa5cd8aaf5b34b306b1a4 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-image-2.4.18-1-k7_2.4.18-13_i386.deb > Size/MD5 checksum: 1154342 152aca9d4a2d7014a9834c239d754d0e > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-pcmcia-modules-2.4.18-1-386_2.4.18-13_i386.deb > Size/MD5 checksum: 5746 9a5675e9da37620b2b3c8dc1aebfa5d0 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-13_i386.deb > Size/MD5 checksum: 5758 325071afd718f4c0c1ba8769aba9864d > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-pcmcia-modules-2.4.18-1-686_2.4.18-13_i386.deb > Size/MD5 checksum: 5778 212f47c992067729e8eb3da05c89c242 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-13_i386.deb > Size/MD5 checksum: 5804 683e3a330cfde650ede99e8a6a771149 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-pcmcia-modules-2.4.18-1-k6_2.4.18-13_i386.deb > Size/MD5 checksum: 5760 8a73b13a799928232f5028be37356ad2 > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke rnel-pcmcia-modules-2.4.18-1-k7_2.4.18-13_i386.deb > Size/MD5 checksum: 5762 be2713125a6111ab76458e07d42f3634 > > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke rnel-headers-2.4.18-bf2.4_2.4.18-5woody8_i386.deb > Size/MD5 checksum: 3411032 c97ea4fcff846ac6d0dc945d601cb97c > http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke rnel-image-2.4.18-bf2.4_2.4.18-5woody8_i386.deb > Size/MD5 checksum: 6425640 83dc812db817e703eaa21451d048f4f7 > > PowerPC architecture: > > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-headers-2.4.18_2.4.18-1woody5_powerpc.deb > Size/MD5 checksum: 3433044 0836b0d1fbcc5c9f440d5c75ff14f006 > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-image-2.4.18-newpmac_2.4.18-1woody5_powerpc.deb > Size/MD5 checksum: 9456688 4473c2577d3be988993219b82ed90eda > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-image-2.4.18-powerpc_2.4.18-1woody5_powerpc.deb > Size/MD5 checksum: 10105472 ae0b1d57bfc8593d9aa4ad1403044607 > http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k ernel-image-2.4.18-powerpc-smp_2.4.18-1woody5_powerpc.deb > Size/MD5 checksum: 10351786 f84fe609d7192a51c4f091c1c0893680 > > > These files will probably be moved into the stable distribution on > its next revision. > > - ------------------------------------------------------------------------ --------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main > Mailing list: [EMAIL PROTECTED] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFAfVAvW5ql+IAeqTIRAl2ZAJ9iOjA7z+AE4QFETph/RgdpfKu3WwCfdBmo > l3YTSWUqfR8Uz29E6qhoitY= > =tRLO > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
