[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SUSE Security Announcement: gpg -> and kernel ? :)

To: suse-security@xxxxxxx
Subject: Re: [suse-security] SUSE Security Announcement: gpg -> and kernel ? :)
From: "Olivier M." <qmail@xxxxxxxxxxxxx>
Date: Thu, 4 Dec 2003 11:32:16 +0100
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Thu, 04 Dec 2003 11:38:22 +0100
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.0312031522480.9630@xxxxxxxxxxxx>; from Roman Drahtmueller on Wed, Dec 03, 2003 at 03:23:06PM +0100
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0312031522480.9630@xxxxxxxxxxxx>

On Wed, Dec 03, 2003 at 03:23:06PM +0100, Roman Drahtmueller wrote:
> ______________________________________________________________________________
>                         SUSE Security Announcement
>         Package:                gpg
> ______________________________________________________________________________
> [...] 
> 2)  Pending vulnerabilities in SUSE Distributions and Workarounds:
> 
>   - kernel: brk() vulnerability
>     All SUSE Linux kernels (except for the SUSE Linux Enterprise Server 8)
>     are vulnerable to a privilege escalation vulnerability that can be 
>     exploited by an attacker who has local shell acccess to your system.
>     We are in the process of testing the update packages for all of our
>     products. The packages are expected to be released within hours and
>     are being published as they are ready.

well well, according to http://lwn.net/Vulnerabilities/60820/ all the
majors linux distributors (RH, mdk, debian, etc.) execpted SuSE have 
released fixed packages...  And there is nothing about that threat
under http://www.suse.com/de/security/announcements/index.html yet. 

Does your "within hours" means something before the end of the week? 
With the exploits around (which allowed to crack of savannah.gnu.org
too), it would be nice if it could come out... :-)  Otherwise I guess
we'll have to patch & fix & recompile the kernels "by hand". 

Thanks & regards,
Olivier

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- [suse-security] SUSE Security Announcement: gpg (SuSE-SA:2003:048)
  - From: Roman Drahtmueller

Prev by Date: [suse-security] do_brk - kernel update?
Next by Date: Re: [suse-security] do_brk - kernel update?
Previous by thread: [suse-security] SUSE Security Announcement: gpg (SuSE-SA:2003:048)
Next by thread: [suse-security] Crackers Trap tool/project
Index(es):
- Date
- Thread