Local vulnerability in all Linux kernels

mikeshinn · **Posted:** Fri Aug 14, 2009 5:58 pm

There is a local vulnerability in all Linux kernels. ASL includes countermeasures to protect you from this vulnerability. However, because thats never good enough for us we're putting out an update that closes the Null Dereferencing flaw once and for all. This is not a critical update, so we recommend you test the update on non-production machines before putting into production.

Also, this vulnerability can only effects systems if the following protocols are enabled (which is not the case by default in ASL either) - and its only a local exploit:

PF_APPLETALK
PF_IPX
PF_IRDA
PF_X25
PF_AX25
PF_BLUETOOTH
PF_IUCV
IPPROTO_SCTP/PF_INET6
PF_PPPOX
PF_ISDN

The latest ASL kernel is: 2.6.29.6-1.art

If you are not running an ASL kernel, then you are highly recommended to check with your vendor to make sure they close this hole as those kernels do not have any protections against this vulnerability. You can on non-ASL kernels disable these protocols, but theres no guarantee that the issue will be mitigated. Upgrading your kernel is the recommended option.

BerArt · **Posted:** Sat Aug 15, 2009 7:26 am

Is this in the Yum channel? because I just wanted to update but via YUM I did not get a new kernel?

breun · **Posted:** Sat Aug 15, 2009 7:52 am

Kernel 2.6.29.6-1.art is still in the asl-2.0-testing channel.

BerArt · **Posted:** Sun Aug 16, 2009 5:12 am

Ah, ok thx breun, that explains it

breun · **Posted:** Sun Aug 16, 2009 7:10 am

It was released to stable yesterday, but now there is another reason people might not see the update: the new 32-bit ASL kernel is i586, while previous versions were i686 and this causes yum to not pick up the update.

breun · **Posted:** Sun Aug 16, 2009 10:45 am

Apparently ASL adopted the new Red Hat standard for kernel packages. The new i686 kernels are all PAE kernels and the non-PAE kernels are i586. Eventually the non-PAE kernels will be discontinued, so you'll probably want to install the kernel-PAE package if you're on i686:

Code:

yum install kernel-PAE

This kernel will also let you use more than 4 GB RAM on a 32-bit OS, although it is better to run a 64-bit OS if you plan on doing that.

BerArt · **Posted:** Mon Aug 17, 2009 11:26 am

If I installed the .586 first can I just install the PEA kernel after? Or do I wait for the next update? (edit:// just tried, this worked)

Thx breun now I know why YUM did not pickup on this

Still some issues after the update: viewtopic.php?f=3&t=3371

scott · **Posted:** Mon Aug 17, 2009 1:09 pm

Those issues are false positives, they can be safely ignored.

Local vulnerability in all Linux kernels

Who is online