-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  Kernel security update  (SSA:2004-006-01)

New kernels are available for Slackware 9.0, 9.1 and -current.
The 9.1 and -current kernels have been upgraded to 2.4.24, and a
fix has been backported to the 2.4.21 kernels in Slackware 9.0
to fix a bounds-checking problem in the kernel's mremap() call
which could be used by a local attacker to gain root privileges.
Sites should upgrade to the 2.4.24 kernel and kernel modules.
After installing the new kernel, be sure to run 'lilo'.

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Tue Jan  6 15:01:54 PST 2004
patches/kernels/:  Upgraded to Linux 2.4.24.  This fixes a bounds-checking
  problem in the kernel's mremap() call which could be used by a local attacker
  to gain root privileges.  Sites should upgrade to the 2.4.24 kernel and
  kernel modules.  After installing the new kernel, be sure to run 'lilo'.
    For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
  Thanks to Paul Starzetz for finding and researching this issue.
  (* Security fix *)
patches/packages/alsa-driver-0.9.8-i486-2.tgz:  Recompiled against
  linux-2.4.24.
patches/packages/cvs-1.11.11-i486-1.tgz:  Upgraded to cvs-1.11.11.
  This version enforces greater security.  Changes include pserver
  refusing to run as root, and logging attempts to exploit the security
  hole fixed in 1.11.10 in the syslog.
patches/packages/kernel-ide-2.4.24-i486-1.tgz:  Upgraded bare.i kernel
  package to Linux 2.4.24.
patches/packages/kernel-modules-2.4.24-i486-1.tgz:  Upgraded to Linux
  2.4.24 kernel modules.
patches/packages/kernel-source-2.4.24-noarch-2.tgz:  Upgraded to Linux
  2.4.24 kernel source, with XFS and Speakup patches included (but not
  pre-applied).  This uses the XFS and Speakup patches for 2.4.23, which
  should be fine since 2.4.24 didn't change much code.  Proper XFS
  patches for 2.4.24 will probably be out soon to fix the one Makefile
  rejection for EXTRAVERSION = -xfs, but likely little else will be
  different since XFS development has already gone ahead to what is now
  the 2.4.25-pre kernel series.
patches/packages/kernel-modules-xfs/alsa-driver-xfs-0.9.8-i486-2.tgz:
  Recompiled against linux-2.4.24-xfs.
patches/packages/kernel-modules-xfs/kernel-modules-xfs-2.4.24-i486-1.tgz:
  Upgraded to Linux 2.4.24 kernel modules for the xfs.s (XFS patched)
  kernel.
+--------------------------+


WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated packages for Slackware 9.0:

An alternate kernel may be installed.  Those are found in this directory:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/kernels/


Updated packages for Slackware 9.1:

An alternate kernel may be installed.  Those are found in this directory:

The ALSA driver package has also been recompiled for 2.4.24:

The XFS patched kernel requires different kernel modules.  If you use
the XFS filesystem and XFS patched kernel (xfs.s), these packages
contain kernel modules compiled against 2.4.24-xfs:


Updated packages for Slackware -current:


MD5 SIGNATURES:
+-------------+

MD5 signatures may be downloaded from our FTP server:

Slackware 9.0 packages:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/CHECKSUMS.md5

To verify authenticity, this file has been signed with the Slackware
GPG key (use 'gpg --verify'):

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/CHECKSUMS.md5.asc


Slackware 9.1 packages:

To verify authenticity, this file has been signed with the Slackware
GPG key (use 'gpg --verify'):

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/CHECKSUMS.md5.asc


Slackware -current packages:
ftp://ftp.slackware.com/pub/slackware/slackware-current/CHECKSUMS.md5
ftp://ftp.slackware.com/pub/slackware/slackware-current/CHECKSUMS.md5.asc


INSTALLATION INSTRUCTIONS:
+------------------------+

Use upgradepkg to install the new kernel, kernel-modules, and alsa packages.
After installing the kernel-ide package you will need to run lilo ('lilo' at
a command prompt) or create a new system boot disk ('makebootdisk'), and
reboot.

If desired, a kernel from the kernels/ directory may be used instead.  For
example, to use the kernel in kernels/scsi.s/, you would copy it to the
boot directory like this:

cd kernels/scsi.s
cp bzImage /boot/vmlinuz-scsi.s-2.4.24

Create a symbolic link:
ln -sf /boot/vmlinuz-scsi.s-2.4.24 /boot/vmlinuz

Then, run 'lilo' or create a new system boot disk and reboot.


+-----+

Slackware: 2004-006-01: Kernel Security Update

January 7, 2004
New kernels are available for Slackware 9.0, 9.1 and -current

Summary

Here are the details from the Slackware 9.1 ChangeLog: Tue Jan 6 15:01:54 PST 2004 patches/kernels/: Upgraded to Linux 2.4.24. This fixes a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. Sites should upgrade to the 2.4.24 kernel and kernel modules. After installing the new kernel, be sure to run 'lilo'. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985 Thanks to Paul Starzetz for finding and researching this issue. (* Security fix *) patches/packages/alsa-driver-0.9.8-i486-2.tgz: Recompiled against linux-2.4.24. patches/packages/cvs-1.11.11-i486-1.tgz: Upgraded to cvs-1.11.11. This version enforces greater security. Changes include pserver refusing to run as root, and logging attempts to exploit the security hole fixed in 1.11.10 in the syslog. patches/packages/kernel-ide-2.4.24-i486-1.tgz: Upgraded bare.i kernel package to Linux 2.4.24. patch...

Where Find New Packages

MD5 Signatures

Severity
[slackware-security] Kernel security update (SSA:2004-006-01)
New kernels are available for Slackware 9.0, 9.1 and -current. The 9.1 and -current kernels have been upgraded to 2.4.24, and a fix has been backported to the 2.4.21 kernels in Slackware 9.0 to fix a bounds-checking problem in the kernel's mremap() call which could be used by a local attacker to gain root privileges. Sites should upgrade to the 2.4.24 kernel and kernel modules. After installing the new kernel, be sure to run 'lilo'.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985

Installation Instructions

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved