Fwd: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)

From: Shachar Shemesh (linux-il_at_nonexisting.hamakor.org.il)
Date: Thu 15 Apr 2004 - 06:57:21 IDT


Well, my personal favourite distro has screwed it this time.

Martin Schulze wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>- --------------------------------------------------------------------------
>Debian Security Advisory DSA 479-2 security_at_debian.org
>http://www.debian.org/security/ Martin Schulze
>April 14th, 2004 http://www.debian.org/security/faq
>- --------------------------------------------------------------------------
>
>Package : kernel-image-2.4.18-1-i386
>Vulnerability : several vulnerabilities
>Problem-Type : local
>Debian-specific: no
>CVE ID : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178
>
>
>
..

>An unfortunate build error caused some of the kernel
>packages in DSA 479-1 to be broken. They are updated with this
>advisory. For completeness below is the original advisory text:
>
>
Conclusions:
When doing remote upgrades, it is CRUCIAL to have a backup kernel ready
on hand, in case you need to boot the machine in failsafe mode. If I
hadn't done that with hamakor.org.il, the machine would have been down
since yesturday noon, requiring physical attendance and an alternative
boot method to recover.

Using LILO for remotely updateable machines is an important addition.
When doing so, update the kernel using the following set of commands:
lilo -D Failsafe (Override the default in lilo.conf to the new name)
lilo -R Linux (Boot this image only once)
reboot
when machine goes up again:
lilo (bring everything back to the lilo.conf setting, which is now known
to be working).

If the machine hangs, a simple reboot will make it choose the failsafe
kernel.

Never trust your distro completely. Even the best of them may screw up
occasionally :-( Always try to have contingency plans in place.

             Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/
=================================================================
To unsubscribe, send mail to linux-il-request_at_linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request_at_linux.org.il


This archive was generated by hypermail 2.1.7 : Thu 15 Apr 2004 - 07:10:47 IDT