Just days after the much-anticipated Linux 2.6.12 kernel was
officially released, an update has been issued to fix two security vulnerabilities.
Linux kernel developer Chris Wright announced the 2.6.12.1
security fix release late Wednesday.
One of the issues carries the CVE designation CAN-2005-1761 and was
titled, “ia64 ptrace + sigrestore_context” in the Changelog for 2.6.12.1.
According to Danish Research firm Secunia, the impact of this vulnerability is unknown.
The other fix is for an issue that is somewhat more dangerous and could
lead to a Denial-of-Serviceattack by a malicious user. The 2.6.12.1 changelog refers to
the patch as “Clean up subthread exec” and refers to the CVE designation
CAN-2005-1913.
An error had existed in the 2.6.12 kernel in the delivery of
signals with a sub-thread “exec” on a pending timer.
“If subthread exec’s
with timer pending, signal is delivered to old group-leader and can panic
kernel,” the 2.6.12.1 changelog noted.
Causing a kernel to “panic” is a serious condition that in many cases
causes a Linux system to shut down. According to security firm Secunia, the
subthreat exec kernel panic issue could have been exploited by malicious,
local users to cause a DoS attack.
The overall effect of the 2.6.12 flaws, however, is not likely to have a
significant impact on Linux users. The 2.6.12 kernel was only
officially released last Friday by Linux creator Linus Torvalds
and has not made its way – yet — into many Linux distributions.
The 2.6.12 Linux kernel introduces a number of new
innovations to Linux including native support for Xen as well as
SELinux.