[Dshield] kernel patches

jayjwa jayjwa at atr2.ath.cx
Fri Jan 9 02:41:02 GMT 2004



On Wed, 7 Jan 2004, Johannes B. Ullrich wrote:

> > I'm very disappointed with my distro. A full day and a half before they
> > even had the warning up. Not acceptable.
>
> Which distro is it? RedHat had updated RPMs up the yesterday afternoon
> (a few hours after the notice came out). I find that updating kernels
> using the RedHat RPMs is reasonable straight forward. I just don't like
> their kernel. I don't think any of the major distros has a grsecurity
> patched kernel at this point. I think SuSe provides extended ACLs.

Slackware. I usually wait to just get their patches, but the day the
notice came out, there was nothing on www.slackware.com for advisories
about it. Not even an email message about it (I'm on the security
announcement list) until the next day, when the patches came out. By that
time, anyone using Slackware as a server machine (alot of us) had already
downloaded 2.4.24 from ftp.kernel.org and did it themselves. I heard about
the problem on incidents.org first. Immediately after, I searched
www.slackware.com- nothing, mandrake- nothing, and I even want to say RH
had nothing up at that time either. A full day is a long time to trust
that someone isn't going to root you. In this case I wasn't as worried
because A. I trust my users B. no actual code appeared to exist to exploit
the bug. Even Linus himself questioned that on a notice I saw (but it was
implied, not directly stated, you understand...)
Anyway, to date, I've not see a working escalate to root priv exploit yet,
although I do have 2 C programs that are supposedly "proof of concept"-
but, if you ask me, they don't prove that root IS obtainable; only that
there is a bug in the code. Whether or not that can be successfully
exploited with any degree of reliability remains to be see. This was last
night. Today there may something else out, I haven't checked yet.



[jayjwa]RLF #37





More information about the list mailing list