[CVE-2008-1375]Linux 2.6.24.x < 2.6.24.6, race condition

infwonder · **Posted:** Fri May 02, 2008 12:42 am

The same vulnerability also affects Linux 2.6.25, new 2.6.25.1 has been released to fix this.

www.securityfocus.com wrote:

The Linux kernel is prone to a local race-condition vulnerability.

A local attacker may exploit this issue to crash the computer or to gain elevated privileges on the affected computer.

According to the report on SecurityFocus, this issue is not remotely exploitable. Still, it's highly recommended that we should update our kernel to 2.6.24.6. For the 2.6.25.x series, it should be updated to 2.6.25.1.

!8!

--EDIT--
For more information, CVE webpage might not be helpful (because this alert is preserved). I'd suggest to read the kernel changelog of 2.6.24.6:

http://www.kernel.org/pub/linux/kernel/ ... g-2.6.24.6

til · **Posted:** Fri May 02, 2008 1:53 am

There were other good reason (2.6.24.3/4/5) to update the kernel for quite some time -
what makes you think, this update is different than others

infwonder · **Posted:** Fri May 02, 2008 6:12 am

til wrote:

There were other good reason (2.6.24.3/4/5) to update the kernel for quite some time -
what makes you think, this update is different than others

Reason 1: This security issue was reported at May 01 2008 12:00AM, while I am not sure what you are suggesting in your reply, to me this issue is different because it's new.
Reason 2: As I said, Linux 2.6.24.x before 2.6.24.6 are all vulnerable to this issue. In fact, Slackware also released an update in 12.1 RC4

I am not simply proposing to update ZW kernel, I am reporting security issues related to the kernel. It has to be updated or our users will suffer from this issue. Of course, if you have information of other vulnerability related to this package, please let us know about it.

til · **Posted:** Fri May 02, 2008 8:57 am

Don't take my words literal - it was a hint all the ways up

infwonder · **Posted:** Fri May 02, 2008 2:18 pm

Sorry, I guess I was too worry about "kernel related" issues due to previous experience with distrowatch review.

bipbip · **Posted:** Sat May 03, 2008 12:39 pm

New kernel is on the server but only in SNAPSHOT.
I don't know for current what can we do

Bip

gapan · **Posted:** Sat May 03, 2008 3:16 pm

Someone has to build the nvidia drivers for current and then we can put the kernel in current too. I don't know if Axxium is too busy to do it. I certainly can't do it, I have no nvidia here. Maybe we should contact Axxium.

infwonder · **Posted:** Sat May 03, 2008 5:06 pm

bipbip wrote:

New kernel is on the server but only in SNAPSHOT.
I don't know for current what can we do

I think we have 2.6.25 in SNAPSHOT which can be updated to 2.6.25.1.
For CURRENT repos, can't we just update the 2.6.24.x to 2.6.24.6 ?

$:-\$

gapan · **Posted:** Sat May 03, 2008 5:13 pm

Updating 2.6.24.2 from current to 2.6.24.6 would also mean that all nvidia drivers and kernel related packages would have to be rebuilt, so it's easier to just upgrade everything to 2.6.25.1. Axxium will have the nvidia drivers ready real soon though.

infwonder · **Posted:** Fri May 09, 2008 10:52 am

I think at this moment we're all expecting the up coming 5.2 release, so despite the fact that the kernel in CURRENT repo is still 2.6.24.2, I think it's ok to mark this issue as [Fixed].

Once again, ALL users are encouraged to upgrade to SNAPSHOT after careful evaluation of the impact to your own system...

What do you think about this? Do we still need a kernel 2.6.24.6 update?

[CVE-2008-1375]Linux 2.6.24.x < 2.6.24.6, race condition

Who is online