You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Ged Haywood <ge...@jubileegroup.co.uk> on 2000/06/10 14:02:57 UTC
[OT - Security] Linux vulnerability
Hi all,
I thought this might be of interest to Apache users running Linux.
> A vulnerability in some versions of Linux has recently been
> identified.
>
> SYSTEMS AFFECTED
>
> Linux kernel versions 2.2.x before 2.2.16
> (2.0.x are safe; 2.2.16 is safe)
>
> IMPACT
>
> Any local user can gain root privileges <<<<<<<<<<<<<<<<<<<<<<
>
> TO FIX
>
> Upgrade to kernel 2.2.16
>
> REFERENCES
>
> Postings regarding the vulnerability to BUGTRAQ:
>
>
> http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-01&m
> sg=20000608003814.A42233@vuurwerk.nl
>
> http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-01&m
> sg=070b01bfd0cd$95b678e0$0701a8c0@dokter.multiweb.nl
>
> http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-01&m
> sg=14654.64010.630301.109982@horsey.gshapiro.net
>
> Source for Linux kernel version 2.2.16:
>
> http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.16.tar.gz
>
> NOTES
>
> Don't be confused by the references to Sendmail in the descriptions
> of the bug - its role in this vulnerability is incidental and other
> setuid programs may be usable in a similar way.
>
>
73,
Ged.
Re: [OT - Security] Linux vulnerability
Posted by Matt Sergeant <ma...@sergeant.org>.
On Sat, 10 Jun 2000, Ged Haywood wrote:
> Hi all,
>
> I thought this might be of interest to Apache users running Linux.
[snip]
Note that this is not a vulnerability that Apache/Linux suffers from
particularly, except in the case of a mod_perl or CGI exploit that allows
the user to get a local account on the machine, in which case he/she can
"upgrade" that account to root using this exploit.
Of course you should probably say "to hell with my 90+ days uptime" and
upgrade anyway ;-)
--
<Matt/>
Fastnet Software Ltd. High Performance Web Specialists
Providing mod_perl, XML, Sybase and Oracle solutions
Email for training and consultancy availability.
http://sergeant.org http://xml.sergeant.org