[19118] in bugtraq
Re: Linux kernel sysctl() vulnerability
daemon@ATHENA.MIT.EDU (Ryan W. Maple)
Sat Feb 10 17:47:36 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10102101423370.2356-100000@mastermind.inside.guardiandigital.com>
Date: Sat, 10 Feb 2001 14:26:12 -0500
Reply-To: "Ryan W. Maple" <ryan@GUARDIANDIGITAL.COM>
From: "Ryan W. Maple" <ryan@GUARDIANDIGITAL.COM>
X-To: Florian Weimer <Florian.Weimer@RUS.UNI-STUTTGART.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <tg3ddmanvi.fsf@mercury.rus.uni-stuttgart.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 10 Feb 2001, Florian Weimer wrote:
> Chris Evans <chris@SCARY.BEASTS.ORG> writes:
>
> > There exists a Linux system call sysctl() which is used to query and
> > modify runtime system settings. Unprivileged users are permitted to query
> > the value of many of these settings.
>
> It appears that all current Linux kernel version (2.2.x and 2.4.x) are
> vulnerable. Right?
>
> Was it really necessary to release this stuff just before the weekend?
Caldera and Immunix issued advisories on Thursday, and Red Hat issued one
early Friday. Alan Cox said that it would be fixed in 2.2.19pre9 which
was also released on Friday (IIRC).
I do agree that releasing it right before the weekend was not the _best_
thing to do, but updates were available on Thursday.
Cheers,
Ryan
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW
Guardian Digital, Inc. ryan@guardiandigital.com
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6hZXWIwAIA9MpKWcRAg36AJ99ZmDHtY1NH2SJQBlrOHUWjzm+fACeIQFG
R9TXzt2yqzU478Jx4Z384OE=
=zZ+R
-----END PGP SIGNATURE-----
