Hi, Linux 2.4.26-ow3 is out and available for download from the usual location: http://www.openwall.com/linux/ This corrects the access control check in the Linux kernel which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files (CAN-2004-0497) and adds a workaround for the file offset pointer races discovered by Paul Starzetz (CAN-2004-0415). The former is only exploitable when files are NFS-exported from a server running a vulnerable version of Linux 2.4.x, and the currently publicly known exploit for the latter relies on code enabled with CONFIG_MTRR kernel build option which has not been enabled in the default kernels on Owl CDs. However, as the potential impact of both issues is a local root compromise, an upgrade of older Linux 2.4.x installs to 2.4.26-ow3+ is highly recommended. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:18 PST