Secunia Security Advisory - Debian has issued updates for kernel-patch-vserver and util-vserver. This fixes two security issues, which can be exploited by malicious programs to bypass certain security restrictions.
3e805d4846f597a13a1184b4e3731e7a1455311eed7d4051aa6f97453a9e1c26
TITLE:
Debian update for kernel-patch-vserver / util-vserver
SECUNIA ADVISORY ID:
SA19339
VERIFY ADVISORY:
http://secunia.com/advisories/19339/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
Local system
OPERATING SYSTEM:
Debian GNU/Linux unstable alias sid
http://secunia.com/product/530/
Debian GNU/Linux 3.1
http://secunia.com/product/5307/
DESCRIPTION:
Debian has issued updates for kernel-patch-vserver and util-vserver.
This fixes two security issues, which can be exploited by malicious
programs to bypass certain security restrictions.
1) The 2.4 kernel patch included in the kernel-patch-vserver package
does not properly setup the chroot barrier when used with
util-vserver. This may result in unauthorised escapes from a vserver
to the host system.
2) The default policy of util-vserver is set to trust all unknown
capabilities instead of considering them as insecure.
For more information:
SA19333
SOLUTION:
Apply updated packages.
-- Debian GNU/Linux 3.1 alias sarge --
Source archives:
http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5.dsc
Size/MD5 checksum: 637 415731be72a9cd966e2fdb5d4f408c4a
http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5.tar.gz
Size/MD5 checksum: 950447 fe6b34612095d2fbdbaab5aefbd83264
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3.dsc
Size/MD5 checksum: 752 e32069a5ca2ef2bc87794cd6c2160821
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3.diff.gz
Size/MD5 checksum: 115947 d0bb2cd998a73905189ee24b5f46dd0d
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204.orig.tar.gz
Size/MD5 checksum: 677831 b315f375b1cef48da1b644dec18f22bd
Architecture independent components:
http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5_all.deb
Size/MD5 checksum: 436934 b50048ea819d150d660ed96e3988613b
Alpha architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_alpha.deb
Size/MD5 checksum: 600660 e52fe0ff93e4c9ca7d58fe8386ebab5a
AMD64 architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_amd64.deb
Size/MD5 checksum: 429530 c4155982844c085b7d9bc59d7eaa02c4
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_i386.deb
Size/MD5 checksum: 398794 56831faa6fa6d76c601fee78251f50eb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_ia64.deb
Size/MD5 checksum: 640332 ab2b2e4283ca5b62c9d9cf5776b6dadb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_mips.deb
Size/MD5 checksum: 612918 e4a60532f25ce776880261de79278e85
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_mipsel.deb
Size/MD5 checksum: 614152 f3aee29aad2682878f8ed22064f3fafa
PowerPC architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_powerpc.deb
Size/MD5 checksum: 425444 9a7542249c2b70661abab2afd5270462
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_s390.deb
Size/MD5 checksum: 440880 376560971a0d2db4bfd51beb67d42bff
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_sparc.deb
Size/MD5 checksum: 395640 51e24ac4754b1aa41277378ee9271a1f
-- Debian GNU/Linux unstable alias sid --
Fixed in version 2.3 of kernel-patch-vserver and in version
0.30.208-1 of util-vserver.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Bjørn Steinbrink.
ORIGINAL ADVISORY:
http://www.debian.org/security/2006/dsa-1011
OTHER REFERENCES:
SA19333:
http://secunia.com/advisories/19333/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------