digg

Facebook Connect Join Digg About

Ubuntu Kernel vulnerabilities

ubuntu.com Versions affected: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS

Who dugg this? Made popular Jan 29, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

183 Comments

show profanity settings
expand all
  • ThantiK, on 01/29/2009, -9/+87Read each one of those...
    "A Local Attacker"

    Last I checked a local attacker could just hit the power switch to DoS your machine. I dugg it because it was found, and fixed before anything could be seen in-the-wild, which is the beauty of open-source - We fix even small, stupid ***** like this.
  • akerasi, on 01/29/2009, -3/+63No OS is ever ALWAYS perfect, but Linux users often forget that they need to patch vulnerabilities, too. Good to see this here.
  • fangor, on 01/29/2009, -0/+56It was found that chaining an irate, rabid badger to the mouse and keyboard was not properly handled by the operating system, and resulted in local denial of service. This bug applies to all versions of all operating systems tested.
  • kd420, on 01/29/2009, -0/+47These are common with the Linux Kernel, has nothing to do with Ubuntu except it is posted on their site. Any distro with an update manager will alert you of kernel updates and usually mark them as urgent/important.
  • rjinso, on 01/29/2009, -6/+51Oh noes! Teh local denial of service vulnerabilities!
  • shinythings, on 01/29/2009, -11/+53All the more reason to use version 8.10
  • alexiadeath, on 01/29/2009, -0/+31A person who can log into your computer(ie. you) can deliberately make it crash... Err... Running for cover yet?
  • AussieCynic, on 01/29/2009, -4/+32Agree with you both, although we dont suffer the same fate as windows users, we still must remember to keep updated, thanks for sharing
  • SQLserver, on 01/29/2009, -0/+26Um, dude, in case you haven't noticed, USB has absolutely taken over the computing world. Just about every gadget in the world uses it... Most modern desktop PCs don't even come with PS2 or parrallel ports...
  • shadowblade989, on 01/29/2009, -0/+25Oh, you mean the auto update that released last night? Cool.
  • php4me, on 01/29/2009, -1/+238.04 has 3 year LTS support. If you are running a server it may be a better choice than 8.10. The support for that will outlast 8.10, and you will have to do less upgrades.

    An embedded car computer, for example. Do you want to be reinstalling the OS every 1.5 years or every 3 years...?
  • Liganic, on 01/29/2009, -2/+23If you have users log in by SSH which is common in enterprise environments the user is a "local" attacker...this is no "stupid *****", its a serious issue.
  • Benno, on 01/29/2009, -4/+25The windows trolls on this thread make the linux trolls on windows threads look smart by comparison (which is no small feat).
  • Krissam, on 01/29/2009, -7/+27It actually does show that open source is perfect, it actually admits having volnerabilities, as opposed to microsoft, you tell them an exploit exists, and the fastest they fix it is 2nd (or is it 1st) wednesday of the month, wtf?
  • chrysalis, on 01/29/2009, -4/+24Too many vulnerabilities in Ubuntu, I'm going to upgrade to Linux.
  • BCPneumatics, on 01/29/2009, -0/+15I've already installed the update, now I suppose I should take the "restart" icon's advice. Luckily most people who aren't aware of the dire need to keep updated have a single system and mindlessly click the icon when it pops up. If you don't get drawn into the "I'm going to use Terminal so I can be cool" thing, Ubuntu has come a long way towards being people friendly.

    And P.S., vlk34, I am currently running a business solely from Ubuntu, and am getting plenty of work related tasks done. Of course, I am also a fan of the cloud. Stone me if you must.
  • clickwir, on 01/29/2009, -0/+15"Local" meaning anyone that is already legitimately logged in. Which could be remote via SSH.
  • DBeta, on 01/29/2009, -1/+16In an office of 35 computers, we have exactly two printers that still use the old serial printer ports. USB is pretty much where it is at, even in business, these days.

    Ubuntu is a pretty slick OS, if you want to take the time to customize it, and I do. I get work done with it, no problem. vlk34 is an idiot, it's just that simple.
  • Carbunkulous, on 01/29/2009, -0/+15Wow, that is rough..
  • jeffcox111, on 01/29/2009, -0/+13I use USB and Ubuntu at work, and I'm a programmer.
  • cesclaveria, on 01/29/2009, -0/+13mocking windows users and their eternal wait for pathces? or just didn't read TFA?
  • depro9, on 01/29/2009, -0/+13Already fixed HAHA!
  • Toshibi, on 01/29/2009, -2/+15Also, these are all "local exploits". They all say "a local attacker".
  • fandyboy, on 01/29/2009, -0/+13You, sir are and idiot :/
  • smotpoker, on 01/29/2009, -1/+13You're mistaken, they have to be logged into the system already. Not something you can do just by picking up a wireless signal (unless the particular Ubuntu system happens to be allowing clear-text telnet/ftp sessions or sending/receiving sensitive login credentials some other way).

    "Local user" in this case means logged into the system, not just on the local lan segment or something.
  • raydeen, on 01/29/2009, -0/+12BADGER NEED MOAR PORNZ!!!
  • alexforcefive, on 01/29/2009, -2/+14what are you, some kinda macfag?

    (I jest...)
  • Lebrun, on 01/29/2009, -0/+10Old news, this was in an update from days ago.
  • whoreable, on 01/30/2009, -0/+9With the auto-updates, im not sure how this article even exists. I do manual updates when Ubuntu tells me and have no problems. It is not like a pirated copy of xp and I am afraid to do the updates.
  • Serinus, on 01/29/2009, -0/+9That's odd. I missed the parts where it said "an attacker could gain control." That certainly seems to be what you're implying if you're trying to say that windows is better in this regard.
  • trakie, on 01/29/2009, -0/+8i was about to reply and say well of course we patch when the update icon comes up in the notification bar - but just then realized i've got a mythbuntu box that i didn't patch yet. thanks for the heads up because i could have let this go for a while.
  • cesclaveria, on 01/29/2009, -0/+8I guess it pretty much depends on what your work is, but I think it is more than capable of getting most work done.
    I would like to know if you have any examples or it is just a good old fashioned trolling?
  • Thue, on 01/29/2009, -1/+9Or if the attacker could gain access to non-root shell on the system via some other hole, they could use one of these to hang the machine.

    Or if there are people on the system who have access to log in via ssh, but do not have root access, they could again use one of these to hang the system.
  • raydeen, on 01/29/2009, -0/+8vik34 is the AOL of Digg posters.
  • elipabst, on 01/30/2009, -1/+9Really? Personally I would checked to see if Windows had any currently unpatched Denial of Service vulnerabilities before looking like an ass on the internets. But hey, that's just me. I like the "solution" on this one:

    Advisory: SA32115
    Release Date: 2008-10-06

    Description:
    Defsanguje has discovered a vulnerability in Microsoft Windows Vista, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of page faults caused by repeated attempts to access a virtual address from a "PAGE_NOACCESS" memory page and can be exploited to cause a system crash. The vulnerability is confirmed on a fully patched Microsoft Windows Vista system.

    Solution:
    Restrict local access to trusted users only.

    Which translates to "We're not fixing it, so good luck with that."
  • sjaxso, on 01/29/2009, -0/+8Ubuntu's auto-updates makes life so easy. Want to upgrade to the new kernal? Sure. Done.
  • rmflagg, on 01/29/2009, -0/+7Back under the bridge, troll.
  • jihadjohnson, on 01/29/2009, -1/+8Difference is you see linux exploits used a lot less, and all of these were local attacks as well. Still a very good idea to patch your box though (i am now)!
  • srg13, on 01/29/2009, -0/+7The terminal is always used in tutorials because saying "copy apt-get install some-program into your terminal" is a little easier that saying to click the Applications menu, open Add and Remove Programs, type 'some-program' in the search box, checking the box next to it, clicking Install. It's easy to do, but I'd rather give them three words to copy and paste than explaining all that...

    Or is copying and pasting a few commands past your computing ability?
  • fandyboy, on 01/29/2009, -2/+8No thanks, I like apps.
  • hieveryone, on 01/30/2009, -1/+7The fixes were for local exploits, meaning someone has to have physical access to the computer to make the exploits do anything. You're one of my favorite trolls. =)
  • AlesDigg, on 01/29/2009, -0/+6Reading about the vulnerabilities and understanding next to nothing, I can really appreciate the knownledge and work of kernel coders.
  • dacheetah, on 01/30/2009, -1/+7Well it's not exactly a huge flaw. In every case "a local attacker" (as in someone who has already logged in via ssh, or with physical access or similar) could exploit this vulnerability to cause the system to hang (basically crash the computer).

    With Windows, it's not uncommon to see a vulnerability that instead allows a remote attacker to execute arbitrary code as super-user.

    It's like comparing the vulnerability of Achilles and a normal person.
  • srg13, on 01/30/2009, -0/+6@mrsteveman1 - the reason that Ubuntu doesn't do that is for stability - for example, when a new kernel comes out, it's very likely that it won't work with the proprietary Nvidia drivers. If they pushed the new upgrade to their users, many of their graphics cards would just stop working well until the next Nvidia driver upgrade... I don't think many users would find that acceptable.
  • inactive, on 01/29/2009, -4/+10@oomfoofoo: Man, really? That's your troll? Sad really..... 0/10
  • LostSoul83, on 01/29/2009, -0/+6Uh oh! When is "patch Tuesday"?

    Oh wait... I already patched it... nothing to worry about. :)
  • jihadjohnson, on 01/29/2009, -0/+6Assuming your AP isn't using WPA with a good password (if you're using WEP you have bigger problems to worry about).
  • keegangrayson, on 01/30/2009, -0/+5@CrudOMatic you said "Yes marketshare does correlate with vulnerabilities. Windows has more marketshare than MacOS, Linux, or whatever - therefore it is more prone to attack - ergo more holes will be discovered in Windows than any other OS."

    I don't really need to reply. You just proved my point for me. You don't understand causation and correlation. That's like saying ice cream is sold more at the beach in the summer because there is more crime during that time period. The reason more ice cream sells is because it's summer, not because there is more crime. Windows just isn't an operating system you can rely on.
  • ileftfark, on 01/29/2009, -0/+5Can't be used to accomplish anything work related?

    ORLY?

    http://www.workswithu.com/the-works-with-u-1000/
  • tacochampion, on 01/29/2009, -0/+5LOL.
    Tons of security vulnerabilities.
    Three vulnerabilities that apply ONLY TO LOCAL USERS and that were AUTOMATICALLY PATCHED before this article was posted.

    Nice try, the astroturf is always greener on the other side.
  • Fetching more discussions...
    Show 51 - 100 of 184 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.