Unpatched major kernel
Marcel Rieux
m.z.rieux at gmail.com
Mon Aug 23 21:54:05 UTC 2010
eldavojohn writes
"On June 17th, the X.org team was notified by Invisible Things Lab of
a critical security flaw (PDF) that affected both x86_32 and x86_64
platforms. The flaw deals with escalated privileges of a user process
that has access to the X server. The founder of ITL said of the flaw,
'The attack allows a (unpriviliged) user process that has access to
the X server (so, any GUI application) to unconditionally escalate to
root (but again, it doesn't take advantage of any bug in the X
server!). In other words: any GUI application (think e.g. sandboxed
PDF viewer), if compromised (e.g. via malicious PDF document) can
bypass all the Linux fancy security mechanisms, and escalate to root,
and compromise the whole system.' This has apparently been a security
flaw since kernel 2.6 was released. From the article, 'On 13 August,
Linus Torvalds committed an initial fix, but several patches were
added afterward for various reasons. The problem has been addressed in
versions 2.6.27.52, 2.6.32.19, 2.6.34.4 and 2.6.35.2 of the kernel.'"
http://tech.slashdot.org/story/10/08/18/1534258/Linux-Xorg-Critical-Security-Flaw-Silently-Patched
==============
August 13 is 10 days ago. Kernel.org now says the latest stable version is:
stable: 2.6.32.20 2010-08-20
http://www.all.kernel.org/
It was out 3 days ago.
Any reason Fedora is not updating the kernel on what looks like a major flaw.
More information about the users
mailing list