Why hasn't there been a kernel update following latest disclosure?
Robert Citek
rwcitek at alum.calberkeley.org
Tue Aug 18 18:28:25 UTC 2009
>From reading the description of the vulnerability:
http://www.h-online.com/security/Critical-vulnerability-in-the-Linux-kernel-affects-all-versions-since-2001--/news/114004
it seems as though there might be a simple workaround:
"Ormandy and Tiennes say, however, that the exploit will not work on
current kernels with mmap_min_addr support if a number greater than
zero is defined by means of sysctl as the value for vm.mmap_min_addr."
On my 8.04.3 LTS sytem:
$ grep mmap_min_addr /etc/sysctl.conf
vm.mmap_min_addr = 65536
$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 65536
I'm not sure if changing the vm.mmap_min_addr is good enough until the
kernel patch makes its way down the pipe.
Regards,
- Robert
On Tue, Aug 18, 2009 at 1:05 PM, john<lists.john at gmail.com> wrote:
> Hello all,
>
> I am trying to figure out why ubuntu hasn't released an updated kernel
> following last weeks Linux Kernel vulnerability
> http://www.h-online.com/security/Linux-kernel-vulnerability-fixes-Update--/news/114021
>
> Debian has already announced and patched this as DSA 1864-1 . I
> haven't seen any thing on ubuntu-security-announce
>
> Does anyone have any insight into this?
>
> Thanks,
>
> John
More information about the edubuntu-devel
mailing list