Holes found in Linux Ubuntu kernel
Summary
Almost 40 vulnerabilities have been discovered in the kernel of Linux Ubuntu 10.04, also known as Lucid Lynx, which is a long-term support version of the operating system.
Topics
Almost 40 vulnerabilities have been discovered in the kernel of Linux Ubuntu 10.04, also known as Lucid Lynx, which is a long-term support version of the operating system.
The holes, which allow remote and local exploits, also apply to corresponding versions of Kubuntu, Edubuntu and Xubuntu. The vulnerabilities include an issue with the way the Common Internet File System validates Internet Control Message Protocol (ICMP) response packets. The issue allows an attacker to send denial-of-service crafted packets. In addition, a hole in the Network File System v4 (NFSv4) bungles certain write requests allowing malicious users to craft traffic to gain root privileges.
"If you block ICMP you will get UDP (User Datagram Protocol) trouble because it does not have reliability built into it. You will get ICMP messages back," Securus Global researcher Declan Ingram said. "Being able to cause a kernel panic with an ICMP unreachable message is bad."
For more on this story, read Ubuntu peppered with holes on ZDNet Australia.
Just In
...and they have *already been fixed*, and download packages are already coming down with the system updater.
@TriangleDoor Doesn't make such a good story then does it? I don't think you understand what ZDNet are trying to do here...
@jeremychappell
Oh, I do. The ZDNet Australia story mentioned that they'd been fixed, although it manages to invite the reader to characterize the fixes as "onerous." The ZDNet America story is even more yellow in that it fails to mention the updates. Such coverage is *exactly* what we expect from this venue under its current ownership and management.
Oh, I do. The ZDNet Australia story mentioned that they'd been fixed, although it manages to invite the reader to characterize the fixes as "onerous." The ZDNet America story is even more yellow in that it fails to mention the updates. Such coverage is *exactly* what we expect from this venue under its current ownership and management.
@TriangleDoor
is that they knew about the vulrnerabilities for a while and didn't tell users how to protect themselves in the interm.
is that they knew about the vulrnerabilities for a while and didn't tell users how to protect themselves in the interm.
@Will Farrell No, Ubuntu has an update procedure that would be very familiar to users of Mac OS X or Windows. They have a really strong track record of issuing patches. I'm afraid this is just trying to make something out of nothing. It's sad really as it makes sensible debate less likely and pointless fanboy flamewars inevitable.
@Will Farrell I agree with jeremychappell... this is something out of nothing!!! Every OS has these types of issues and will always need patches. We cannot continue to knock OSX and Windows because of the same thing... All OS's by design will have these problems. Just do your best to protect your neck!!!!
even if they have been fixed. Just relax, the truth about the severity, etc, will come out.
@DonnieBoy
Funny, you cant wait to jump down the throat of MS if there was something patched . . .
Funny, you cant wait to jump down the throat of MS if there was something patched . . .
@TriangleDoor
Not only have these updates have been available, the kernel version referred to in the ZDNet.au article has been replaced.
According to Synaptic, for the 2.6.35-25 kernel, the latest update is 2.6.35-25.45; and currently I am using the 2.6.32-29.58 kernel .
IOW - OLD NEWS!!!!
Not only have these updates have been available, the kernel version referred to in the ZDNet.au article has been replaced.
According to Synaptic, for the 2.6.35-25 kernel, the latest update is 2.6.35-25.45; and currently I am using the 2.6.32-29.58 kernel .
IOW - OLD NEWS!!!!
What version of kernel? Lucid Lynx comes with 2.6.32, and you can install a newer one, i have 2.6.34
@goff256: This is a non-issue
Just update to the most recent kernel and you're safe.
However if the discuss were about Windows it would be yet another example of how bug ridden Windows is. Hypocrissy at its finest.
Just update to the most recent kernel and you're safe.
However if the discuss were about Windows it would be yet another example of how bug ridden Windows is. Hypocrissy at its finest.
I would say the same thing.
I know, I have.
I know, I have.
@goff256: If this were a topic about Windows
I would say the same thing.
I don't see you anywhere to be found in the "MS Patch Tuesday heads-up: Critical flaws in Windows, Office" talkbacks saying the same thing. As a matter of fact I don't see you having posted there at all.
I would say the same thing.
I don't see you anywhere to be found in the "MS Patch Tuesday heads-up: Critical flaws in Windows, Office" talkbacks saying the same thing. As a matter of fact I don't see you having posted there at all.
I have been kind of shy about posting to Microsoft threads, since I have a stalker named Search & Destroy who sees it fit to respond to almost any of my topics.
@goff256
You did post several comments.
Microsoft Patch Tuesday: The bottom line, December 14, 2010, 1:01pm PST
You did post several comments.
Microsoft Patch Tuesday: The bottom line, December 14, 2010, 1:01pm PST
And what did I say?
It's been a LOOONG time since I said whatever it is I said. XD
It's been a LOOONG time since I said whatever it is I said. XD
@goff256
Search: Microsoft Patch Tuesday
You comments back then in line to what you wrote above.
Search: Microsoft Patch Tuesday
You comments back then in line to what you wrote above.
we have more information on this, we will be in a better position to say how serious it was.
@DonnieBoy
I just wanted to thank you for not posting like an ****** as I've seen in previous posts. You seem to be more open minded about these things. All OS's have their flaws and security issues. Although MS has its issues so do all other OS's and if not the worst on security would be Apple, not Microsoft.
Also please note to people that they need to run the update manager instead of waiting for it to notify you of updates in Ubuntu. I run updates every time I'm in Ubuntu to keep safe and up to date.
Thanks again for the positive attitude!
I just wanted to thank you for not posting like an ****** as I've seen in previous posts. You seem to be more open minded about these things. All OS's have their flaws and security issues. Although MS has its issues so do all other OS's and if not the worst on security would be Apple, not Microsoft.
Also please note to people that they need to run the update manager instead of waiting for it to notify you of updates in Ubuntu. I run updates every time I'm in Ubuntu to keep safe and up to date.
Thanks again for the positive attitude!
No, it's about how they take their sweet time fixing the bugs they know about. While Linux bugs get immediate attention, from more people than Microsoft could ever afford to pay, and fixes come quickly.
And everyone knows that ZDNet shills for Microsoft. The price of doing business?
And everyone knows that ZDNet shills for Microsoft. The price of doing business?
@Dr_Zinj - When you have a product with a reported flaw which might affect billions of users and then fix that issue, you have to do VERY extensive testing to ensure that your fix, too, doesn't break hundreds of billions of app-os-hardware configurations.
Microsoft (rightly) gets nailed hard when it screws up a patch or update, but one cannot deny that in all reality, it is actually very effective at delivering patches on an extraordinarily wide-spread basis that fix issues and cause relatively few problems while doing so.
It's great to see the Linux distro's also standing up and owning the automatic update process for their releases - it's a very clear acceptance that all software has bugs that must be patched in a timely manner. Period.
Microsoft (rightly) gets nailed hard when it screws up a patch or update, but one cannot deny that in all reality, it is actually very effective at delivering patches on an extraordinarily wide-spread basis that fix issues and cause relatively few problems while doing so.
It's great to see the Linux distro's also standing up and owning the automatic update process for their releases - it's a very clear acceptance that all software has bugs that must be patched in a timely manner. Period.
@bitcrazed Yawn... It's called having having a good unit test suite.
I find any of this impossible to believe... DTS my Linux Advocate stakes his reputation on it!
I was wondering about why the update the other day was so ginormous. Seems like it was about the biggest non-version upgrade of Ubuntu since In started with 6.6
@CodeCurmudgeon
It should just be the kernel, which gets updated regularly and which isn't that large. I don't think this was related to your large download.
It should just be the kernel, which gets updated regularly and which isn't that large. I don't think this was related to your large download.
And the Ubuntu gets it and it goes in the update repositories.
How about you make this article more useful(rather than the useless garbage that it is) by saying:
1. Which version of ubuntu?
2. Is the Linux Kernel as a whole effected?
3. Has it been patched?
4. Which version of the kernel is effected?
1. Which version of ubuntu?
2. Is the Linux Kernel as a whole effected?
3. Has it been patched?
4. Which version of the kernel is effected?
a. 10.04
b. Not sure, I think so.
c. Yes
d. linux-image-2.6.35-25, I think
b. Not sure, I think so.
c. Yes
d. linux-image-2.6.35-25, I think
LRD says he doesn't use Linux. I find that hard to believe. I guess that means he stays away from the 60% of websites out there running LAMP? Maybe he somehow avoids having a home router or modem. How does he avoid the myriad of devices running embedded versions Linux for managing everything from storage to spam filters to IDS and firewalls? To put it bluntly: If you use the internet, you're using Linux. There's simply no way around it.
LRD can continue to use willful ignorace to spread hate and fear all he wants. It doesn't change the fact that he uses Linux. Every. Single. Day.
LRD can continue to use willful ignorace to spread hate and fear all he wants. It doesn't change the fact that he uses Linux. Every. Single. Day.
@putty.master
This old argument again? Allow me to prove you wrong and like it.
I don't use linux, I would never use it in any serious production environment. The only time I use it is to see if a new release is worthy and thus far they haven't been. I don't use linux when I'm using the web because linux is not on my machine. I'm not typing on it, I don't come in contact with it. My computer has no linux on it so I am not using it at all.
This old argument again? Allow me to prove you wrong and like it.
I don't use linux, I would never use it in any serious production environment. The only time I use it is to see if a new release is worthy and thus far they haven't been. I don't use linux when I'm using the web because linux is not on my machine. I'm not typing on it, I don't come in contact with it. My computer has no linux on it so I am not using it at all.
LOL! Your bulletproof OS just got shot up 40 times! This is the reason I will not use linux in any production environment. Its just not worth the hassle because you never know what holes are there and when they will be fixed. Not only that but I refuse to spend all day recompiling a kernel just to make the OS secure.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
