il modello di sicurezza di debian e quello degli altri, era Re: [Soci SLIP] Red Hat, Ubuntu, and Arch Linux patch Linux kernel exploit

[llcfree]

On Sun, 2013-01-20 at 11:57 +0100, Lucio Crusca wrote:
> In data domenica 20 gennaio 2013 11:33:55, llcfree ha scritto:
> > > > sicurezza con debian testing. Tempo di scoprirlo?
> > > 
> > > Te lo dico io: quasi non c'è.
> > 
> > Temo proprio che tu abbia ragione. Questa e' la ragione per cui avevo
> > scartato molto tempo fa l'ipotesi di usare testing 

Questa volta ci siamo sbagliati tutti e due, valeva la pena controllare,
dormi sogni sereni, almeno per 2012-0056, ci ha pensato debian :)

https://security-tracker.debian.org/tracker/CVE-2012-0056

Name	CVE-2012-0056

Description	The mem_write function in Linux kernel 2.6.39 and other
versions, when ASLR is disabled, does not properly check permissions
when writing to /proc/<pid>/mem, which allows local users to gain
privileges by modifying process memory, as demonstrated by Mempodipper.
Source	CVE (at NVD; oss-sec, Red Hat, Ubuntu, Gentoo, more)
NVD severity	medium (attack range: local)

Debian/oldstable	not known to be vulnerable.
Debian/stable	not vulnerable.
Debian/testing	not known to be vulnerable.
Debian/unstable	not known to be vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.
Source Package	Release	Version	Status
linux-2.6 (PTS)	squeeze (security)	2.6.32-44	fixed
	squeeze	2.6.32-46	fixed

The information above is based on the following data on fixed versions.
Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
linux-2.6	source	(unstable)	3.2.1-2	medium		
linux-2.6	source	lenny	(not affected)			
linux-2.6	source	squeeze	(not affected)			
Notes

[squeeze] - linux-2.6 <not-affected> (introduced in 2.6.39)
[lenny] - linux-2.6 <not-affected> (introduced in 2.6.39)
fix is
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc (queued for 3.3)

Loredana