Security flaws force Linux kernel upgrade

The 2.4.24 upgrade to the Linux kernel comes a month after the release of the previous version of the core system software and only includes patches for six software issues, including the two flaws.

The release is intended to prompt users to upgrade quickly, said Marcelo Tosatti, the maintainer of the 2.4 kernel series and a Linux developer for data center management company Cyclades.

"These security issues need to be fixed as soon as possible," Tosatti said in an interview Monday. As maintainer, Tosatti decides what changes can be made to the kernel and when to release new versions of the core system software for Linux.

The most serious flaw, which occurs in a function used by virtual memory, resembles a vulnerability fixed in late November that had been exploited by unknown attackers to control several key Linux servers open-source developers use. Both flaws allow an intruder to increase the privileges of a normal user account to the same level as the system's owner.

Tosatti said that once it became clear that the latest flaw could be used to circumvent security on Linux systems, he and other developers decided to immediately release the fixes. The move follows decisions by the kernel developers to curtail new features in the 2.4 kernel series in order to get developers and users to move to the next generation of core Linux software, the 2.6 kernel. The final set of features that had been intended for this release of the kernel have been postponed until the next version, he said.

"It is good that I have the ability--because this is open source--to release the code so quickly," Tosatti said.

The second security flaw results in a device driver problem that could allow an intruder to read some memory the kernel uses.

The latest version of the kernel can be downloaded from Kernel.org. Patches for specific Linux distributions can be downloaded from their developers.

• Related stories

• Alerts

Add your opinion

So open source is not nearly a ...Anonymous -- 06/01/04

So open source is not nearly as infallable as the the open source gurus pupport it to be. After all these years of "Microsoft Bashing" maybe people will now see that this is an issue for ALL IT platforms not just those of the "Evil Empire".

• Reply to comment
• Reply to story
• Report offensive content

Only a FOOL would believe that ...Anonymous -- 06/01/04

Only a FOOL would believe that Linux was more secure that any other OS.

What the Linux freaks will discover is that as Linux becomes mainstream more and more security issue will be found.

By it's very nature Open Source is inherently insecure.

• Reply to comment
• Reply to story
• Report offensive content

To both of the above posters: ...Anonymous -- 07/01/04

To both of the above posters:

Unless you are both MS employees with access to their source, build system and release mechanisms, you'll have a very hard time fixing any flaws in MS code. Which makes you more or less at mercy of Bill's balance sheet.

With Linux, you can start right now. Provided you know how... ;-)

• Reply to comment
• Reply to story
• Report offensive content

Re: to the two above poster. W ...Anonymous -- 08/01/04

Re: to the two above poster.

Well I guess millions of so called "Coder/ Hackers" did have access to the Linux source code. That must be why this little error occured.

As for your comment on knowing what to do, most so called hackers are script kiddies.

But I guess you must be a linux zelot as you missed the point of my comment.

the point is that Linux is just as insuecure as any other OS.

• Reply to comment
• Reply to story
• Report offensive content

Re: Re: to the two above poste ...Anonymous -- 08/01/04

Re: Re: to the two above posters:

> the point is that Linux is just as insuecure as any other OS.

And you claim this on the basis of seeing source code of Windows or on the basis of the percentage of compromised machines exposed to the outside world? If the former, you must be an MS employee with access to the source, in which case you should be fixing all those problems that make Windows just as insecure as Linux. After all, you wouldn't want a superior product in the same insecurity category as Linux :-) If the latter, I'm afraid the numbers are not on your side.

See, we can talk here all day, but the fact remains: you can actually convince yourself that everything is OK (or not) with Linux and other open source software. You can't do any such thing with Windows. Unless, of course, you're an MS employee with access to the source, which would make you a minority, even when compared to the total number of MS employees.

The above discussion applies to any open source v. closed source software. The point is not what is more secure (security is not static), the point is what can be audited and secured (security is a process).

• Reply to comment
• Reply to story
• Report offensive content

"the basis of the percent ...Anonymous -- 08/01/04

"the basis of the percentage of compromised machines exposed to the outside world"

just on this point, I have notice more and more Linux security issue hitting the news. I guessing that this could be deirectly related to the increase in Linux servers.

Also I am lead to beleive that the Linux Kernel is controled by a small group, which should have some 'process' in place to enusre that no secruity issue arise. I think they may need to revise their process.

Please don't get me wrong I neither support Microsoft, Linux or an other Specific flavour of OS. I have to work with what ever system my client implements

• Reply to comment
• Reply to story
• Report offensive content

> Just on this point, I hav ...Anonymous -- 08/01/04

> Just on this point, I have notice more and more Linux security issue hitting the news. I guessing that this could be deirectly related to the increase in Linux servers.

Good question, but is is not very related, IMHO. If you take a look at the Netcraft web server survey, you'll see that Apache sites have been outnumbering Windows sites by about 2:1 for a long time now. My bet is that at least half (if not more) of those systems are running Linux, many also FreeBSD (open source as well). So, if we go by that pessimistic estimate, the number of Linux and other open source targets would be sufficient to motivate someone to "take them down".

Compromises happen on occasion. Recently Debian and Gentoo servers have been compromised, some because of bad security policies, some because of security flaws and misconfiguration, some because of both. A bit futher in the past, there was an OpenSSL problem that caused thousands of Apache machines to be compromised (non-root user only). But the numbers where nowhere near Windows Nimda and Code Red compromises, for various reasons ranging from more competent admins, different flavours of the OS, different incarnations of Apache etc. In Windows world everything's the same, so if someone gets hit, you're next...

The number of discovered problems relates to various different factors, some of them being a direct result of code audits (like in the case of most recent ones). Programmers are people, they make mistakes, some of them cause security flaws. It's that simple. If you have a way of finding those mistakes (like in the case of this flaw) before they get exploited, you're actively participating in the security process.

I would really like to know how does one do that with the source code that cannot be seen.

> Please don't get me wrong I neither support Microsoft, Linux or an other Specific flavour of OS. I have to work with what ever system my client implements.

No OS is perfect, especially not for every purpose. For some of us, however, freedom to see the code and change it is very important. Feel free to not share that view ;-)

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials