[Full-Disclosure] RE: 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us a bridge now too?

From: Edward W. Ray (support_at_mmicman.com)
Date: 04/15/04

Next message: pokley: "[Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection"

Previous message: Jeff Schreiner: "RE: [Full-Disclosure] Cisco LEAP exploit tool..."
In reply to: Exibar: "[Full-Disclosure] 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us a bridge now too?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Exibar'" <exibar@thelair.com>, <full-disclosure@lists.netsys.com>
Date: Wed, 14 Apr 2004 20:36:17 -0700

If it weren't for the vulnerabilities being around for MORE THAN SIX MONTHS,
I would not have an issue. Personally I prefer to know ASAP of any
vulnerability and have a possible workaround if a patch cannot be
immediately released. I would think MS with its $53 billion in the bank
($51 billion now that they have paid Sun $2B), and many more resources than
the FreeBSD, Linux and OpenBSD community that they would be able to release
patches immediately instead of six months later.

-----Original Message-----
From: Exibar [mailto:exibar@thelair.com]
Sent: Wednesday, April 14, 2004 9:05 AM
To: full-disclosure@lists.netsys.com; support@mmicman.com
Subject: 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us
a bridge now too?

Looks like Linux Math is just as bad as Microsoft math now huh? What
happened to one patch for one vulnerability? Looks like there is 5 in this
one......

----- Original Message -----
From: <debian-security-announce@lists.debian.org>
To: <full-disclosure@lists.netsys.com>
Sent: Wednesday, April 14, 2004 10:52 AM
Subject: [Full-Disclosure] [SECURITY] [DSA 479-1] New Linux 2.4.18 packages
fix local root exploit (source+alpha+i386+powerpc)

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ------------------------------------------------------------------------

--
> Debian Security Advisory DSA 479-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> April 14th, 2004                        http://www.debian.org/security/faq
> - ------------------------------------------------------------------------
--
>
> Package        : kernel-source-2.4.18 kernel-image-2.4.18-1-alpha
kernel-image-2.4.18-1-i386 kernel-image-2.4.18-i386bf
kernel-patch-2.4.18-powerpc
> Vulnerability  : several vulnerabilities
> Problem-Type   : local
> Debian-specific: no
> CVE ID         : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177
CAN-2004-0178
>
> Several serious problems have been discovered in the Linux kernel.
> This update takes care of Linux 2.4.18 for the alpha, i386 and powerpc
> architectures.  The Common Vulnerabilities and Exposures project
> identifies the following problems that will be fixed with this update:
>
> CAN-2004-0003
>
>     A vulnerability has been discovered in the R128 drive in the Linux
>     kernel which could potentially lead an attacker to gain
>     unauthorised privileges.  Alan Cox and Thomas Biege developed a
>     correction for this
>
> CAN-2004-0010
>
>     Arjan van de Ven discovered a stack-based buffer overflow in the
>     ncp_lookup function for ncpfs in the Linux kernel, which could
>     lead an attacker to gain unauthorised privileges.  Petr Vandrovec
>     developed a correction for this.
>
> CAN-2004-0109
>
>     zen-parse discovered a buffer overflow vulnerability in the
>     ISO9660 filesystem component of Linux kernel which could be abused
>     by an attacker to gain unauthorised root access.  Sebastian
>     Krahmer and Ernie Petrides developed a correction for this.
>
> CAN-2004-0177
>
>     Solar Designer discovered an information leak in the ext3 code of
>     Linux.  In a worst case an attacker could read sensitive data such
>     as cryptographic keys which would otherwise never hit disk media.
>     Theodore Ts'o developed a correction for this.
>
> CAN-2004-0178
>
>     Andreas Kies discovered a denial of service condition in the Sound
>     Blaster driver in Linux.  He also developed a correction.
>
> These problems will also be fixed by upstream in Linux 2.4.26 and
> future versions of 2.6.
>
> The following security matrix explains which kernel versions for which
> architecture are already fixed.  Kernel images in the unstable Debian
> distribution (sid) will be fixed soon.
>
> Architecture    stable (woody)     unstable (sid)    removed in sid
> source          2.4.18-14.3        2.4.25-3          --
> alpha           2.4.18-15          soon              --
> i386            2.4.18-13          soon              --
> i386bf          2.4.18-5woody8     soon              --
> powerpc         2.4.18-1woody5     2.4.25-8          2.4.22
>
> We recommend that you upgrade your kernel packages immediately, either
> with a Debian provided kernel or with a self compiled one.
>
>
> Upgrade Instructions
> - --------------------
>
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
>         will update the internal database
> apt-get upgrade
>         will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 3.0 alias woody
> - --------------------------------
>
>   Source archives:
>
>
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s
ource-2.4.18_2.4.18-14.3.dsc
>       Size/MD5 checksum:      664 a9d96cc8553c3a9085bad09e071c5814
>
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s
ource-2.4.18_2.4.18-14.3.diff.gz
>       Size/MD5 checksum:    70724 4de077af92c196a6af7797d1ceea4004
>
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s
ource-2.4.18_2.4.18.orig.tar.gz
>       Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2
>
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-image-2.4.18-1-alpha_2.4.18-15.dsc
>       Size/MD5 checksum:      876 453a2a47eb3c6b748e75e0cb65bdd6bb
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-image-2.4.18-1-alpha_2.4.18-15.tar.gz
>       Size/MD5 checksum:    24922 f822e7999659ddcfd53dee73894afdc1
>
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-i386_2.4.18-13.dsc
>       Size/MD5 checksum:     1327 d37593f6e47c2b9809530eb54deeae3e
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-i386_2.4.18-13.tar.gz
>       Size/MD5 checksum:    70213 c795ba781adbd8a19202d8d986a3d0da
>
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke
rnel-image-2.4.18-i386bf_2.4.18-5woody8.dsc
>       Size/MD5 checksum:      656 278af48a357187864c52382eeb13451d
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke
rnel-image-2.4.18-i386bf_2.4.18-5woody8.tar.gz
>       Size/MD5 checksum:    26780 1f0c2eba8d3d90eef1a183f6b27f1fff
>
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-patch-2.4.18-powerpc_2.4.18-1woody5.dsc
>       Size/MD5 checksum:      713 77511f3afefed1dd71c1f73e2e036000
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-patch-2.4.18-powerpc_2.4.18-1woody5.tar.gz
>       Size/MD5 checksum:    79970 2720d9864cdd05bfc6b3bd7228ca9083
>
>   Architecture independent components:
>
>
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-d
oc-2.4.18_2.4.18-14.3_all.deb
>       Size/MD5 checksum:  1720106 f25772ce2d398adc25509a1ae040c76f
>
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-s
ource-2.4.18_2.4.18-14.3_all.deb
>       Size/MD5 checksum: 24138244 d63666d64cb91f59f2feded30ef8ea70
>
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-patch-2.4.18-powerpc_2.4.18-1woody5_all.deb
>       Size/MD5 checksum:    79722 d822eaa6adcdd517d600d62c819db7b6
>
>   Alpha architecture:
>
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-headers-2.4.18-1_2.4.18-15_alpha.deb
>       Size/MD5 checksum:  3363486 862f6e8f85737dd13c6ca9b760384f1a
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-headers-2.4.18-1-generic_2.4.18-15_alpha.deb
>       Size/MD5 checksum:  3512910 935ef424b222d336a642b2e7cd291e4a
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-headers-2.4.18-1-smp_2.4.18-15_alpha.deb
>       Size/MD5 checksum:  3515528 6ef19a362ec019e79fdb057fea1c9fc2
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-image-2.4.18-1-generic_2.4.18-15_alpha.deb
>       Size/MD5 checksum: 12424690 725ff255cf8941cfb5c77581d8a518d4
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/k
ernel-image-2.4.18-1-smp_2.4.18-15_alpha.deb
>       Size/MD5 checksum: 12801130 8d15f05215223ffcf9b11b3f682667d3
>
>   Intel IA-32 architecture:
>
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3429534 1aac0648c6f5fdee84721799806ef07a
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1-386_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3446290 a13776eb95c3661696f86e06a6dbac48
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1-586tsc_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3446482 233230438756120878a4e4b96876e61b
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1-686_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3446444 b5f8437bfd3279ed3f4b2f63fc2d75f5
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1-686-smp_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3446458 6dbbfba03667156316b184bd939d21e2
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1-k6_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3446350 ff76c153c3eb285b1f7b035223bc1e39
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-headers-2.4.18-1-k7_2.4.18-13_i386.deb
>       Size/MD5 checksum:  3446324 dc2a142c75db787fdeb8a0c8e8941d1a
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-386_2.4.18-13_i386.deb
>       Size/MD5 checksum:  1154336 96f1e8262a5b11a8498d70643e87f546
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-586tsc_2.4.18-13_i386.deb
>       Size/MD5 checksum:  1154362 8b4bc947b6ab39a2deb0731f891889f3
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-686_2.4.18-13_i386.deb
>       Size/MD5 checksum:  1154358 a6e7db160b30f90711be11260128a6bb
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-686-smp_2.4.18-13_i386.deb
>       Size/MD5 checksum:  1154414 cde845ca2c7b351ce79b66965a04a748
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-k6_2.4.18-13_i386.deb
>       Size/MD5 checksum:  1154338 407aa3a3a95aa5cd8aaf5b34b306b1a4
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-image-2.4.18-1-k7_2.4.18-13_i386.deb
>       Size/MD5 checksum:  1154342 152aca9d4a2d7014a9834c239d754d0e
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-pcmcia-modules-2.4.18-1-386_2.4.18-13_i386.deb
>       Size/MD5 checksum:     5746 9a5675e9da37620b2b3c8dc1aebfa5d0
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-pcmcia-modules-2.4.18-1-586tsc_2.4.18-13_i386.deb
>       Size/MD5 checksum:     5758 325071afd718f4c0c1ba8769aba9864d
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-pcmcia-modules-2.4.18-1-686_2.4.18-13_i386.deb
>       Size/MD5 checksum:     5778 212f47c992067729e8eb3da05c89c242
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-pcmcia-modules-2.4.18-1-686-smp_2.4.18-13_i386.deb
>       Size/MD5 checksum:     5804 683e3a330cfde650ede99e8a6a771149
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-pcmcia-modules-2.4.18-1-k6_2.4.18-13_i386.deb
>       Size/MD5 checksum:     5760 8a73b13a799928232f5028be37356ad2
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/ke
rnel-pcmcia-modules-2.4.18-1-k7_2.4.18-13_i386.deb
>       Size/MD5 checksum:     5762 be2713125a6111ab76458e07d42f3634
>
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke
rnel-headers-2.4.18-bf2.4_2.4.18-5woody8_i386.deb
>       Size/MD5 checksum:  3411032 c97ea4fcff846ac6d0dc945d601cb97c
>
http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-i386bf/ke
rnel-image-2.4.18-bf2.4_2.4.18-5woody8_i386.deb
>       Size/MD5 checksum:  6425640 83dc812db817e703eaa21451d048f4f7
>
>   PowerPC architecture:
>
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-headers-2.4.18_2.4.18-1woody5_powerpc.deb
>       Size/MD5 checksum:  3433044 0836b0d1fbcc5c9f440d5c75ff14f006
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-image-2.4.18-newpmac_2.4.18-1woody5_powerpc.deb
>       Size/MD5 checksum:  9456688 4473c2577d3be988993219b82ed90eda
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-image-2.4.18-powerpc_2.4.18-1woody5_powerpc.deb
>       Size/MD5 checksum: 10105472 ae0b1d57bfc8593d9aa4ad1403044607
>
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.18-powerpc/k
ernel-image-2.4.18-powerpc-smp_2.4.18-1woody5_powerpc.deb
>       Size/MD5 checksum: 10351786 f84fe609d7192a51c4f091c1c0893680
>
>
>   These files will probably be moved into the stable distribution on
>   its next revision.
>
> - ------------------------------------------------------------------------
---------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFAfVAvW5ql+IAeqTIRAl2ZAJ9iOjA7z+AE4QFETph/RgdpfKu3WwCfdBmo
> l3YTSWUqfR8Uz29E6qhoitY=
> =tRLO
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: pokley: "[Full-Disclosure] [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection"

Previous message: Jeff Schreiner: "RE: [Full-Disclosure] Cisco LEAP exploit tool..."
In reply to: Exibar: "[Full-Disclosure] 1 patch for 1 vulnerabiliy for Linux and BSD? gunna try and sell us a bridge now too?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] [ GLSA 200407-16 ] Linux Kernel: Multiple DoS and permission vulnerabilities
... Multiple permission vulnerabilities have been found in the Linux ... kernel, allowing an attacker to change the group IDs of files mounted ... A context sharing vulnerability in vserver-sources is also handled by ... The Linux kernel allows a local attacker to mount a remote file system ...
(Full-Disclosure)
[Full-disclosure] iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaust
... Local exploitation of a memory exhaustion vulnerability in Linux Kernel ... memory resources can be exhausted from the kernel. ...
(Full-Disclosure)
[VulnWatch] iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vu
... Local exploitation of a memory exhaustion vulnerability in Linux Kernel ... memory resources can be exhausted from the kernel. ...
(VulnWatch)
iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability
... Local exploitation of a memory exhaustion vulnerability in Linux Kernel ... memory resources can be exhausted from the kernel. ...
(Bugtraq)
[Full-Disclosure] [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+al
... Several serious problems have been discovered in the Linux kernel. ... Kernel images in the unstable Debian ... Architecture stable unstable removed in sid ...
(Full-Disclosure)