There's a lot of 2.2.25 still in use too, it was popular in the floppy firewall distributions because 2.4 was too big.
I don't know of any "release status" distribution using 2.6.0, for use in the production environment there is a lot of work needed br third party driver writers, especially the binary ones like nvidia and most internal modems

2.6.1 rc-2 is up on kernel.org and fixes the lastest security problem, as well as a ton of other small bugs since the 2.6.0 release. I recommend updating if you are concerned with security and are running a 2.6 kernel series kernel.

Agreed. The 2.4 kernel is definitely the most critical for enterprises, but as another poster points out 2.2.x is still in use, and it never looks good when you release what is touted as an "enterprise-friendly" kernel and then appear to be appathetic towards security concerns with said kernel. It's more the appearances then the actual harm (probably only a few profession sites are using the 2.6.x kernels at this point).

My point was supposed to be that I'll bet IBM and Novell (et al) wish Linus had said things a little differently, but I got side-tracked and ended up posting something slightly different than I intended.

Just in case anyone missed the announcement, 2.2.x is actually not vulnerable.

--jeremy

Could someone help to explain if this is easily exploited? For example, if a machine is behind a firewall and only allows port 80 would apache accept the exploit and execute it? Or am I way off track with my thinking? Thanks

zuessh:
The exploit must be locally exploited, so it has to be a user of the system, or in some way able to get a program to execute code of their choice.

good remark in previous message. If you've read some posts in the thread, it would seem that almost every linux would be under attack pretty soon.

But, indeed, it's a local exploit, so, it's a serious vulnerability, but does that mean that every webserver having a 2.6 kernel is going down pretty soon because there won't be a 2.6.1 out in a few hours? No it doesn't! :-)

So, don't panic, just look at it, see for yourself how 'vulnerable' you might be, and then start screaming :-)

Anyway, if security updates are available, get your systems patched but don't overreact...

Cheers..

Agreed with the above poster.

Let's not get overly worried about this thing, there have been security issues in the past so this is not something new

besides, like already mentioned, it is not likely this will get super-exploited and take down the linux community

When I first read Linus Torvalds' comments in this post, I actually sympathised with him; think of what would go through his mind and it is not like he is soothed to hear that a major flaw has been detected, especially since he had to find out on a news site after several others had already begun screaming

Many (perhaps most) people here will have kernels with the exploit, yes, but will it lead to the end of anything, absolutely not

Think, if Linus Torvalds did not keep his wits together and make a fairly calm comment under great pressure, he would have lost it! So I ask that we not criticize his remarks.

The patch is already available for those who still worry. Distro companies will have their own special patches for special redhat and suse kernels and such. This is not to say to take the situation lightly, because no one is, and Linus did not (the patch was made as soon as he heard of the problem) and the same goes for the developers of the 2.4 kernel

The same idea of keeping calm is to ensure that other major exploitable problems are placed into the 2.6.1 kernel because the team is being ushered into releasing something prior to the necessary testing phase and such.

The purpose, reiterated, of my post is not to state or mention that the vulnerablity is a problem, however this is in defense of Linus Torvalds, his team, and his recent comments. I hope everyone will understand this and take this into consideration.

*edit: the amount of effort to avoid metioning Windows in this post took more out of me than I thought... I leave for bed now

Jeremy - Where did you see that 2.2 was not affected? I would be glad to know that its clean.

quote
>Synopsis: Linux kernel do_mremap local privilege escalation vulnerability
>Product: Linux kernel
>Version: 2.2, 2.4 and 2.6 series

http://www.isec.pl/vulnerabilities/isec-0013-mremap.txt has been updated.

from LKML
--jeremy

jts: Have you *used* 2.6 much? Try it, you'll like it! And, you'll realize why so many people are jumping on it so fast - it's already, IMO, as stable as 2.4.x, and it's unquestionably faster (even on a single-proc desktop). I don't think 2.4 will go down as one of Linux' finer efforts - 2.6.x may well! Especially given the stable point it appears to be starting from.

Mod: Arch has a 2.6 kernel-based install ISO as an option (non-supported, but stable by all reports). It *isn't* their supported, base distro.

All VERY interesting! I checked my Red Hat and I have Kernel 2.4.7-10 what would be the recommended patch? -gonna Google that now

I click the closest kernel patch and it starts a down load to a Mac?? add an option to verify the start of download dudes! my Linux box is offline while I look into this so my Mac shouldn't really even start this download.

Sorry forgot to mention that last post was a copy of e-mail sent to a kernel patch web site

I looked into it and I found that the mysterious motive for *hacing* Linux boxes is to obtain a hack launch platform to conceal the haxors real IP/box etc. Gees ok, I kinda expected my doz box> Linux transition was going to enhance hac *cough* security, obviously no! But doesn't this actual motive isolate a bit whether or not kernel stability is really the central issue here?