A serious Linux kernel vulnerability was patched by Linux Torvalds this week, but distros are still scrambling to catch up with the fix. Get the details here.
Security researcher Rafal Wojtczuk from Invisible Things Lab reported a Linux kernel vulnerability, which would allow any GUI application that could be compromised, such as a PDF viewer, to bypass Linux security and potentially take over the system. The flaw has been present since at least 2003, and according to LinuxPlanet, it first became known to developers and distros only in June. You can read the PDF report compiled by Wojtczuk here.
So far, though, only some progress has been made in closing the hole, known officially as CVE-2010-2240. Linux founder Linus Torvalds comitted a patch for the issue on Friday, and Linux kernel developer Greg Kroah-Hartman that same day formally announced the 220.127.116.11 Linux kernel release, advising all users to update.
The problem, of course, is that just because the main kernel has been patched, doesn't mean all the Linux versions of the kernel have been patched.
"Updated kernel packages for Fedora 12 and 13 will soon be available from the updates testing repositories, and will be released as stable after being tested," Mark Cox, director of security response at Red Hat, told InternetNews.com. "Packages for Red Hat Enterprise Linux are being worked on and will be released as soon as they are complete."
Although there are no reports of the flaw having been exploited (according to Mark Cox), be aware of the vulnerability and update your distros as needed, as soon as the patches are available.