Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Aug 2004 19:47:46 +0400
From: Solar Designer <>
Subject: Linux 2.4.26-ow3


Linux 2.4.26-ow3 is out and available for download from the usual

This corrects the access control check in the Linux kernel which
previously wrongly allowed any local user to change the group
ownership of arbitrary NFS-exported/imported files (CAN-2004-0497)
and adds a workaround for the file offset pointer races discovered by
Paul Starzetz (CAN-2004-0415).

The former is only exploitable when files are NFS-exported from a
server running a vulnerable version of Linux 2.4.x, and the currently
publicly known exploit for the latter relies on code enabled with
CONFIG_MTRR kernel build option which has not been enabled in the
default kernels on Owl CDs.

However, as the potential impact of both issues is a local root
compromise, an upgrade of older Linux 2.4.x installs to 2.4.26-ow3+ is
highly recommended.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.