[GLLUG] Debian Server hacked
rw at shadow.org.uk
Fri Jul 14 16:39:35 UTC 2006
Bruce Richardson <itsbruce at uklinux.net> writes:
> On Fri, Jul 14, 2006 at 04:33:47PM +0100, Rich wrote:
>> Bruce Richardson <itsbruce at uklinux.net> writes:
>> > On Thu, Jul 13, 2006 at 09:54:19AM +0100, .myke wrote:
>> >> http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html
>> >> A Gluck server at Debian was discovered to be hacked yesterday. They
>> >> have taken it offline and are preparing to rebuilding.
>> > They should be using Stable for their infrastructure. If they had been,
>> > this would not have happened.
>> It was a kernel vulnerability. This is the first reported usage of the
>> vulnerability. The relevant kernel version is in stable and testing.
> Eh? 2.6.8-2 is the latest official stable kernel.
Mind you, my brain may have turned to cheese :->
> Kernel vulnerability
> The kernel vulnerability that has been used for this compromise is
> referenced as CVE-2006-2451. It only exists in the Linux kernel
> 2.6.13 up to versions before 18.104.22.168, and 2.6.16 before 22.214.171.124.
> The bug allows a local user to gain root privileges via the
> PR_SET_DUMPABLE argument of the prctl function and a program that
> causes a core dump file to be created in a directory for which the
> user does not have permissions.
> The current stable release, Debian GNU/Linux 3.1 alias 'sarge',
> contains Linux 2.6.8 and is thus not affected by this problem. The
> compromised server ran Linux 126.96.36.199.
> If you run Linux 2.6.13 up to versions before 188.8.131.52, or Linux
> 2.6.16 up to versions before 184.108.40.206, please update your kernel
Only the admins know why those decisions were taken :->
(running a recent kernel on an otherwise-stable gateway machine)
rich walker | Shadow Robot Company | rw at shadow.org.uk
technical director 251 Liverpool Road |
need a Hand? London N1 1LX | +UK 20 7700 2487
Gllug mailing list - Gllug at gllug.org.uk
More information about the GLLUG