Linux

Critical Linux kernel flaw patched but check your distro

A serious Linux kernel vulnerability was patched by Linux Torvalds this week, but distros are still scrambling to catch up with the fix. Get the details here.

Security researcher Rafal Wojtczuk from Invisible Things Lab reported a Linux kernel vulnerability, which would allow any GUI application that could be compromised, such as a PDF viewer, to bypass Linux security and potentially take over the system. The flaw has been present since at least 2003, and according to LinuxPlanet, it first became known to developers and distros only in June. You can read the PDF report compiled by Wojtczuk here.

So far, though, only some progress has been made in closing the hole, known officially as CVE-2010-2240. Linux founder Linus Torvalds comitted a patch for the issue on Friday, and Linux kernel developer Greg Kroah-Hartman that same day formally announced the 2.6.35.2 Linux kernel release, advising all users to update.

The problem, of course, is that just because the main kernel has been patched, doesn't mean all the Linux versions of the kernel have been patched.

"Updated kernel packages for Fedora 12 and 13 will soon be available from the updates testing repositories, and will be released as stable after being tested," Mark Cox, director of security response at Red Hat, told InternetNews.com. "Packages for Red Hat Enterprise Linux are being worked on and will be released as soon as they are complete."

Although there are no reports of the flaw having been exploited (according to Mark Cox), be aware of the vulnerability and update your distros as needed, as soon as the patches are available.

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

14 comments
tom
tom

Ah yes, the wonder of open source! As in "I wonder who has a patch for my buggered version". You Buntus can keep the silly thing. I will stay with a real OS.

seanferd
seanferd

Not really, but a lot of people seem to have this opinion. Thanks for the info.

Jaqui
Jaqui

about Mandriva's urpmi tools, fire up the update and it goes to get the latest list before listing anything. so if the listing is empty, no patches available. no need to update the list manually [ like most distros do ]

Neon Samurai
Neon Samurai

Debian 5 Stable's kernel update is ready and in repositories. The full timeline is interesting: - 17 June 2010 - ITL noties X.org security team about the vulnerability - 20 June 2010 - X.org security team suggests to discuss the issue with Linux kernel developers, as the proper solution should be implemented in the kernel - 13 Aug 2010 - the x is committed to Linus tree [4] - 17 Aug 2010 - the paper is published - 20 Aug 2010 - patched kernel available in Debian Stable (I'm adding this bullet on the end of the timeline from the PDF) 57 days between report and solution in mainline kernel source. 07 days between patch availability and Debian repository packaging. Not sure where other distributions are at with packaging a kernel update for there respective users.

RipVan
RipVan

...did you mean the well known "Swiss cheese of operating systems??"

FXEF
FXEF

Don't feed the trolls!

seanferd
seanferd

You know, just like MS patches Windows, each distro patches itself. What is so difficult about that? Thr distro also generally has patches and updates for all the installed software as well. Enjoy your real OS.

Michael Jay
Michael Jay

because the bad guys are smart and sly, they will find a way into anything, even a "real OS" whatever that is. Pay attention, keep your OS up to date and don't forget the firewall. The best defense is a good defense, cause they are out there and hungry.

Neon Samurai
Neon Samurai

Because you'd get this kind of transparency with a "real OS" outside the FOSS world right? What details has Microsoft provided regarding the latest kernel vuln? (I'm assuming your mention of *buntus is aimed at any distribution that happens to be Linux based but correct me if I'm reading that wrong)

Neon Samurai
Neon Samurai

well, I think it was "urpmi --no-suggest --auto-update" when I was still using it. These days it's "aptitude update && aptitude full-upgrade" for me. Technically two separate program calls/jobs but still a single command typed or as a Bash alias. It is nice that urpmi doesn't give you the option to work against out of date package lists though. urpmi really is what Red Hat should have written rpm to be instead of needing Mandriva's wrapper to make it functional. Until urpmi, I still used "rpm --rebuild blackage.src.rpm" to confirm that I had all the dependencies in place. If I can build it, I can install it.

Brainstorms
Brainstorms

which kernels are being patched / released? They mention 2.6.35, but what about distros that are still running 2.6.31, 2.6.32, etc.? Neon, which kernel does 'Lenny' run?

Neon Samurai
Neon Samurai

The patch code is available though so one would have to check there specific distributions. I did also notice that Parted Magic had an update last week; Linux kernel 2.6.34.5

Neon Samurai
Neon Samurai

Not surprising that they did the production version Lenny before the beta version Squeeze. Squeeze got it's kernel update a day or two ago now though.

Brainstorms
Brainstorms

For 10.04, it was 2.6.32-24 #41. In fact, they've patched all the way back to 2.16.55, for Ubuntu 6.06.

Editor's Picks