U radu jezgre operacijskog sustava Ubuntu 8.04 LTS ispravljeno je više sigurnosnih nedostataka. Napadač je te nedostatke mogao iskoristiti za DoS (eng. Denial of Service) napad, otkrivanje podataka te dobivanje većih privilegija.
Paket:
Linux kernel 2.6.x
Operacijski sustavi:
Ubuntu Linux 8.04
Kritičnost:
5.4
Problem:
nepravilno rukovanje ovlastima, pogreška u programskoj komponenti
Iskorištavanje:
lokalno/udaljeno
Posljedica:
dobivanje većih privilegija, otkrivanje osjetljivih informacija, uskraćivanje usluga (DoS)
Sigurnosne ranjivosti se javljaju zbog pogrešaka u programskim komponentama "Auerswald usb driver" i "Stream Control Transmission Protocol", nepravilnog rukovanja ovlastima u komponenti "/proc/PID/io", itd.
Posljedica:
Zloćudni korisnik navedene ranjivosti može iskoristiti za otkrivanje informacija, stjecanje root ovlasti te napad uskraćivanjem usluga (DoS).
Rješenje:
Svim se korisnicima savjetuje korištenje dostupnih programskih nadogradnji.
==========================================================================
Ubuntu Security Notice USN-1236-1
October 20, 2011
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.04 LTS
Summary:
Multiple kernel flaws have been fixed.
Software Description:
- linux: Linux kernel
Details:
It was discovered that the Auerswald usb driver incorrectly handled lengths
of the USB string descriptors. A local attacker with physical access could
insert a specially crafted USB device and gain root privileges.
(CVE-2009-4067)
It was discovered that the Stream Control Transmission Protocol (SCTP)
implementation incorrectly calculated lengths. If the net.sctp.addip_enable
variable was turned on, a remote attacker could send specially crafted
traffic to crash the system. (CVE-2011-1573)
Vasiliy Kulikov discovered that taskstats did not enforce access
restrictions. A local attacker could exploit this to read certain
information, leading to a loss of privacy. (CVE-2011-2494)
Vasiliy Kulikov discovered that /proc/PID/io did not enforce access
restrictions. A local attacker could exploit this to read certain
information, leading to a loss of privacy. (CVE-2011-2495)
Dan Kaminsky discovered that the kernel incorrectly handled random sequence
number generation. An attacker could use this flaw to possibly predict
sequence numbers and inject packets. (CVE-2011-3188)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 8.04 LTS:
linux-image-2.6.24-29-386 2.6.24-29.95
linux-image-2.6.24-29-generic 2.6.24-29.95
linux-image-2.6.24-29-hppa32 2.6.24-29.95
linux-image-2.6.24-29-hppa64 2.6.24-29.95
linux-image-2.6.24-29-itanium 2.6.24-29.95
linux-image-2.6.24-29-lpia 2.6.24-29.95
linux-image-2.6.24-29-lpiacompat 2.6.24-29.95
linux-image-2.6.24-29-mckinley 2.6.24-29.95
linux-image-2.6.24-29-openvz 2.6.24-29.95
linux-image-2.6.24-29-powerpc 2.6.24-29.95
linux-image-2.6.24-29-powerpc-smp 2.6.24-29.95
linux-image-2.6.24-29-powerpc64-smp 2.6.24-29.95
linux-image-2.6.24-29-rt 2.6.24-29.95
linux-image-2.6.24-29-server 2.6.24-29.95
linux-image-2.6.24-29-sparc64 2.6.24-29.95
linux-image-2.6.24-29-sparc64-smp 2.6.24-29.95
linux-image-2.6.24-29-virtual 2.6.24-29.95
linux-image-2.6.24-29-xen 2.6.24-29.95
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1236-1
CVE-2009-4067, CVE-2011-1573, CVE-2011-2494, CVE-2011-2495,
CVE-2011-3188
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.24-29.95
Posljednje sigurnosne preporuke