MandrakeSoft withdraws 'unsafe' Linux update

MandrakeSoft has advised users of its Mandrake Linux 9.1 operating system not to install a security update released on Sunday due to a serious security bug in the update. If users have already installed the update, MandrakeSoft urged them to downgrade to a previous version if possible.

The unusual warning concerned a routine security update to the kernel, or core, of Mandrake Linux 9.1 released at the beginning of this week. On Tuesday, the company warned that the kernel update was not safe, as it was creating files that could be altered by any user.

"The regular kernel (kernel-2.4.21.0.24mdk) has a problem where it is ignoring umask settings and instead is creating files with mode 0666 (world writeable)," wrote MandrakeSoft security update manager Vincent Danen to a Mandrake security mailing list. He said MandrakeSoft's secure and enterprise kernels were not affected by the bugs.

The updated kernel, kernel-2.4.21.0.24mdk, should be rolled back to kernel 18mdk or 13mdk if possible, or swapped for the secure kernel, Danen said. MandrakeSoft said it was working on a fix for the 24mdk kernel, and said it expected to release the fix on Friday.

The latest kernel update fixed several software bugs and security holes.

Let the editors know what you think in the Mailroom.