[gentoo-announce] GLSA: gentoo-sources (200308-01)

[puggy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200308-01
- - - ---------------------------------------------------------------------

PACKAGE : gentoo-sources
SUMMARY : multiple vulnerabilities
DATE : 2003-08-14 12:16 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <gentoo-sources-2.4.20-r6
FIXED VERSION : >=gentoo-sources-2.4.20-r6
CVE : CAN-2003-0244 CAN-2003-0246 CAN-2003-0462

- - - ---------------------------------------------------------------------

- - quotes from CVE:

"The route cache implementation in Linux 2.4, and the Netfilter IP
conntrack module, allows remote attackers to cause a denial of service
(CPU consumption) via packets with forged source addresses that cause a
large number of hash table collisions."

"The ioperm system call in Linux kernel 2.4.20 and earlier does not
properly restrict privileges, which allows local users to gain read or
write access to certain I/O ports."

"A race condition in the way env_start and env_end pointers are
initialized in the execve system call and used in fs/proc/base.c on
Linux 2.4 allows local users to cause a denial of service (crash)."

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-kernel/gentoo-sources upgrade to gentoo-sources-2.4.20-r6 as follows

emerge sync
emerge gentoo-sources
emerge clean

After that, compile, install and reboot your computer to complete
the upgrade.

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/O32dfT7nyhUpoZMRAvRRAJ9gKhIHNvEKkhnIGh50DV06W93E/gCffg3L
foJIctGEKqdWsL9tFbFxArI=
=qIHR
-----END PGP SIGNATURE-----
_________________
Where there's open source , there's a way.