The Linux developers have released kernel versions 18.104.22.168 and 22.214.171.124 which fix a critical vulnerability revealed last week. The vulnerability, which is found in all 2.4 and 2.6 series Linux kernels since 2001 and for which there is already an exploit, allows users with restricted privileges to obtain root privileges. The developers urgently recommend users update to the new versions.
Debian has already released updated kernels for the current Debian 5.0 (Lenny) and its predecessor Debian 4.0 (Etch), as has Fedora for Fedora 10 and 11. Users of these distributions can install the fixes using the package management update mechanism. Updated kernels for Ubuntu and openSUSE are not yet available.
From an article in H Security: Linux kernel vulnerability fixes – Update 3 – News – The H Security: News and features
17 August 2009, 16:40
Update 18 August – There is currently no patch for Red Hat Enterprise Linux (RHEL), but the company does offer a workaround which involves blacklisting certain network protocols so that the exploit that is currently in the wild does not function. The CentOS developers are waiting on a patch to appear from Red Hat and in the interim recommend a similar procedure as a workaround. Novell has said there is no patch yet available for SUSE Linux Enterprise Server.
Update 19 August – Ubuntu have released updates for Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, Ubuntu 8.10, Ubuntu 9.04 and all corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Details of the updates are given in an Ubuntu Security Notice and the updates are available through Ubuntu’s software Update Manager system.
Update 25 August – Red Hat, Novell and CentOS have now published updates to address the vulnerability for RHEL 4 and 5, SUSE Linux Enterprise Server/Desktop and opensSUSE 10.3 to 11.1 and CentOS 4 and 5 respectively.