New Linux Kernel Vulnerability 486
Stop Or I'll Noop writes "Paul Starzetz writes, "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return
value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2003 except concerning the same internal kernel function code." Full scoop here."
Update: 03/07 20:53 GMT by T : This vulnerability (and fixes) were mentioned briefly in an update to this earlier posting.
Many eyes, but wide open or tight shut ? (Score:5, Insightful)
looked at in great depth just recently, after a critical vulnerability was found. A few weeks go by and another hugely important hole is found...
Now I know the consequences of a problem bear little relation to its root cause, but I am a little surprised at how this managed to find its way through all these eyes looking at the offending code a week or so ago. Actually making it work as a security hole looks to be reasonably complex, (which may be why it wasn't found, I guess), but if one piece of code can have 2 major vulnerabilities in as many weeks, maybe it's time to start worrying about when Linux *does* take over the desktop...
I thought the automated 'Stanford Checker' (sp ?) was ideal for this sort of problem ? (Where the returned value from a function is ignored...) Perhaps it was flagged up but took some in-depth analysis for the kernel developers to realise it really was a problem...
So, is this a master-stroke of the development model, with various people around the world all individually checking code and Hey! Someone found something, or is it a "failure" where all those people missed it the first time around, and it's a pure fluke it was found now.... I'm still not sure, but I'll give the benefit of the doubt to the model - hey, it's been fixed!
Simon
Re:Many eyes, but wide open or tight shut ? (Score:5, Insightful)
Re:Many eyes, but wide open or tight shut ? (Score:5, Insightful)
That's a long time. Maybe some crackers have been using this exploit during that time (or, of course, maybe they haven't).
Re:Many eyes, but wide open or tight shut ? (Score:5, Informative)
eyes wide stupid? (Score:5, Insightful)
You may trust your authorized users, but do you trust their passwords, habits in storing passwords ("You don't expect me to remember that, do you? Where are my post-it notes..."), and wisdom to not extend trust to ANYONE?
Do you also trust users to not run a piece of malicious code that shows up purporting to be some groovy new Linux app that will do some groovy new thing? Afterall, it would only have to require a vanilla user account... and Linux never gets viruses, so why worry? ;)
I think you see where I'm going with this. Local exploits need to be patched too, and sysadmins all too frequently think they don't because they are "only local".
Re:eyes wide stupid? (Score:5, Insightful)
Sysadmins who trivialize these 'moot' issues should realize that at some point, if not today, maybe next year, they are going to have to defend their judgement to an angry CEO who has just lost big money. I don't believe 'total security', even at the software can be attained. All we can do is to keep on patching, and to disclose these vulnerabilities in a responsible and efficient manner.
judicial use of 'noexec' (Score:4, Insightful)
Re:judicial use of 'noexec' (Score:4, Insightful)
Nope. Sorry, won't work. As long as users have execute access to ld-linux.so.2 (which lives in /lib) or the equivalent on non-Linux boxes, they can run any ELF executable, noexec or not.
And AFAIK, ld-linux.so.2 has to be executable by all in order for the system to function normally, but I am not quite sure there.
MartRe:judicial use of 'noexec' (Score:3, Insightful)
Scratch what I just said. It seems that this hole is closed. I get 'Operation not permitted' when I try to run an executable. It appears that noexec really means noexec.
MartRe:eyes wide stupid? (Score:5, Funny)
I really dont understand what all the fuss is about.
Re:Many eyes, but wide open or tight shut ? (Score:5, Insightful)
Now, I am not a hacker, but I think after I got local access via another exploit, I would use this current vulnerability to get root, install my back door/zombie code, etc. and leave quietly.
Every exploit is serious.
Re:Many eyes, but wide open or tight shut ? (Score:3, Insightful)
Re:Many eyes, but wide open or tight shut ? (Score:3, Interesting)
So basically this proves that Linux is just as insecure as Windows is. There have been lots of major kernel vulnerabilities floating around in the past 6 months. I guess it's time to switch to OpenBSD.
Oh, yes, send me a binary... (Score:5, Insightful)
How this compares to send me a fscking html-with-vbscript that will be executed while in the preview pane of Outlook Express and downloads another executable that has the power to install itself as a device driver and run in kernel mode?????
Even if I have to click on the attachment, it will execute right away!!!!
Security through obscurity? (Score:3, Insightful)
Well, I think this proves that the "security through obscurity" model is, at best, ineffective. If it has been so long there for anyone to see and the "good" guys didn't see it, what makes you believe that the "bad" guys would spot it?
I don't have hard data to prove this, but I believe that the following two points are true: (1) there are more good guys than bad guys, or otherwise society as we know it wouldn't exist;
Way Too Idealistic (Score:4, Interesting)
Anyway, go read "The Art Of War" or watch "The Godfather". It is a serious error to assume your enemy is weak, and I would recommend against that philosophy when securing critical assets.
Enough already ... Obscurity has its place (Score:5, Insightful)
Don't forget
So
Re:Many eyes, but wide open or tight shut ? (Score:5, Insightful)
Re:Many eyes, but wide open or tight shut ? (Score:5, Funny)
*ahem*
[displays 46th chromosome, which is clearly an X]
Re:Many eyes, but wide open or tight shut ? (Score:4, Funny)
Young lady, on this site we do not expose ourselves in public. The dress code clearly states that skirts must go _below_ the 46:th chromosome.
Re:Many eyes, but wide open or tight shut ? (Score:5, Insightful)
My thinking is that Linux on the desktop is going to need a contingency plan for a widespread vulerability, similar to what Microsoft does with Automatic Updates. I know it's not perfect, but I'll be damned if I can think of anything better. It's nice to think you can make a bullet-proof kernel, but also naive.
Re:Many eyes, but wide open or tight shut ? (Score:5, Informative)
My thinking is that Linux on the desktop is going to need a contingency plan for a widespread vulerability, similar to what Microsoft does with Automatic Updates.
I'm guessing you don't use Linux then. All major distros release such updates very quickly, and RedHat at least had a desktop icon that alerted users if updates were available. The kernel will get patched if it needs to, but it's up to the distro vendors to include something "idiot proof" to yell if the system needs an update.
Re:Many eyes, but wide open or tight shut ? (Score:3, Informative)
On Debian/Red Hat with APT:
apt-get update && apt-get dist-upgrade
On Red Hat with up2date:
up2date -u
On Mandrake:
urpmi.update && urpmi --auto-select
And so on.. Now obviously these could be imrpoved (i.e. mail the admin if it fails), but auto-updating is a lot easier under Linux.
Re:Many eyes, but wide open or tight shut ? (Score:5, Informative)
I actually read the bug report then, and I read it now, and when I got down to the bug explanation (with the lines of X's representing memory) I realized it was the exact same one I had seen before!
A lot of problems in mremap... (Score:5, Insightful)
Re:A lot of problems in mremap... (Score:4, Funny)
Re:A lot of problems in mremap... (Score:2, Funny)
This is medium old news. (Score:5, Informative)
You just thought it was the third because you already heard about two, and forgot that sometimes things take a week or so to make it to
Re:A lot of problems in mremap... (Score:5, Funny)
19 minutes later, and no one has blamed SCO yet? What's wrong with you people today?
Install windows! (Score:4, Funny)
Boot
Install
bah
Re:Install windows! more like (Score:5, Funny)
Boot
Reboot
Install
Reboot
Install some more
Reboot
Continue installation
Reboot
Register windows installation
Change a setting
Reboot
bah
Re:Install windows! (Score:4, Funny)
Reboot in 60 seconds...
Reboot in 60 seconds...
Typical user experience. (Score:3, Interesting)
1) Buy computer with Windows XP Home Edition pre-installed.
2) They get a virus, perhaps even a trojan. Or maybe a worm, since the computer wasn't up-to-date. Or they were stupid and opened MyDoom. Regardless, it cripples the computer.
3) They buy or download an antivirus software. Perhaps their computer works well enough to install it, and reinstall Windows if it does not.
4)Ok, finally a working computer again. But since they browse the internet as administrator (as it works by defa
Damn (Score:4, Insightful)
Re:Damn (all your base are belong to us) (Score:5, Informative)
Re:Damn (all your base are belong to us) (Score:3, Interesting)
There is a patched kernel at least for RedHat:
https://rhn.redhat.com/errata/RHSA-2004-065.html [redhat.com]
Note in the third paragraph:
"Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue."
This is the same
Re: (Score:3, Informative)
Re:Damn (Score:5, Funny)
Re:Damn (Score:2, Funny)
And patch your kernel another day.
Re:Damn (Score:2)
Re:Damn (Score:2)
dupe (Score:5, Insightful)
Comment removed (Score:5, Informative)
Re:Story is a troll!!!!! (Score:3, Insightful)
Re:Story is a troll!!!!! (Score:3, Informative)
But, what he's saying is, it's NOT still there. It's been fixed already.
Not a new vulnerability (Score:5, Informative)
I'm guessing that we can expect a patch from SCO? (Score:4, Funny)
Does this mean... (Score:3, Funny)
...I'm going to have to patch the kernels on the Debian servers and reboot again?
That'll be the third time in as many months.
Well, as they say... (Score:2, Funny)
In Windows it's a feature.
Amazing what a one line oversight can do (Score:5, Insightful)
So it costs $9,000, so what? (Score:2)
Re:Amazing what a one line oversight can do (Score:5, Insightful)
That figure depends largely upon how many customers you have and how sophisticated your patch-distribution system is. In pre-internet days, a critical problem might have meant shipping a floppy disk to each of your customers (of course, this reduced the chance of problems being classified as "critical"). Now, most security problems in FreeBSD can be fixed in two minutes using 50kB of bandwidth and binary patches [daemonology.net]. Most operating systems fall somewhere in the middle, distributing entire [apple.com] files [microsoft.com], or even complete [redhat.com] packages [debian.org], every time a one-line security fix is necessary, with the effect of requiring a 50-fold (or more, in the case of packages) increase in bandwidth (and, over slow connections, time).
Someone from Microsoft explained this to me as "we've got huge amounts of bandwidth, so we really don't need to save bandwidth by using patches"... it doesn't surprise me that Microsoft ignores the fact that delta compression would benefit their customers, but I expected better from Apple or the Linux community.
Can someone quickly fix this ? (Score:5, Funny)
Not a big deal really (Score:5, Informative)
Only version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
-jmoen-
"Windows users: want Security, install linux"??? (Score:5, Funny)
It might be time to take a page from the MS book and take a few weeks for a full line by line audit.
Re:"Windows users: want Security, install linux"?? (Score:2, Interesting)
The goal a lot of people have is to make Linux mainstream, that means that less and less knowledgeable users will be using it. If Linux continues to suffer from kernel exploits from time to time just like Windows then those same users will be running executable mail viruses built for Linux just like they do for Windows now.
A lot of people I've seen using Linux have a false sense of security and therefore aren't as careful as they are on Windows (which i
Re:"Windows users: want Security, install linux"?? (Score:4, Informative)
In Linux, peer review found it, fixed it and made the information available, so you know that you have an exploit.
Linux seems much more Mainstream to me. Until people write perfect, bug free, secure software, give me a system that at least I can keep up to date and have a chance to protect myself.
Re:"Windows users: want Security, install linux"?? (Score:5, Insightful)
"On a Windows box, there would have been no peer review."
I doubt that even Microsoft lets security fixes be released without having other Microsoft programmers review all the relevant code. A more accurate comment might be:
"On a Windows box, there would have been no public peer review."
Somewhere . . . (Score:5, Funny)
Kernel 2.6.4-rc2-bk3: Never, I'll Never turn to the Dark side, I'm open source...like my father before me.
Bill: So be it, open source
Bill: if you will not be turned, you will be destroyed (shooting purple lightning bolts)
Bill: You will pay the price for your lack of vision
Kernel 2.6.4-rc2-bk3: Linus please (in agony).
.....to be continued
I await my -5 (Troll)
From the link... (Score:3, Informative)
Local, not remote.
In general: If an attacker has local access or can gain the equivelent by using a remote access tool, a local exploit can be a problem.
So, personally I'm not too worried though others with different types of users or configurations might have a high level of concern.
Old news (Score:5, Informative)
known since 18. feb. 2004 (Score:5, Informative)
isec just waited some weeks until they released the exploit...
Laymens terms? (Score:2, Funny)
Re:Laymens terms? (Score:5, Funny)
Sure. A program can ask the operating system kernel to Do Things. Now, someone has found out that when you ask the kernel to Do Things certain way, the kernel subsequently thinks you are the Boss.
Like, you have this stack of forms you want the computer signed. You hand them over to the computer. One of the papers is "Do whatever I say" form that would give you the Power. The computer won't read it and just signs it along with the others, then hands you the forms back.
How's that for an explanation?
Important to Remember (Score:3, Interesting)
Wne a Linux vulnerability is patched, it is proof that open source software is wonderful.
Re:Important to Remember (Score:5, Funny)
Log onto slashdot.
Bash Microsoft.
Bash the bashers of Microsoft.
Bash the bashers of the bashers of Microsoft.
Re:Important to Remember (Score:5, Funny)
Re:Important to Remember (Score:5, Insightful)
You know there are -- among the many, many, many open vulnerabilities out there -- two which are particularly problematic for Windows users. (There are many more out there, but I figure I'll focus in on these two for now.
The first one [slashdot.org] allows an attacker to mask the real address of the site you're viewing in IE. So, go and open up a spam claiming that Paypal needs you to update your credit card number, and you'll actually see PayPal.com as the URL. The second one [slashdot.org] allows an attacker to crash IE and exploit arbitrary code when a user views a picture on a web page under IE.
As a Computer Programmer, I understand how hard it is to create 100% bug free code. Any system as complex as Windows or Linux is bound to contain some bugs and / or vulnerabilities. However, when an exploit is found in Windows (to the best of my knowledge those two exploits have yet to be patched), it takes forever to get a fix to the public.
On the other hand, as soon as I heard of the vulnerability in the Linux Kernel, I have the following options:
Now, whereas I am pretty certain Slackware will have a package available for me to update my kernel in another 48 - 72 hours, and if it's absolutely urgent for me to fix it I can either disable it or fix it myself (something Windoze won't let you do -- although the nature of the vulnerability in the kernel may make disabling it impractical. But still, at least you have the option), Microsoft has not, to the best of my knowledge, fixed these vulnerabilities, even though it's been months.
This is why Open Source Software is so great. Technically sophisticated users hold the destiny of the software in their own hands. And I haven't even begun to get started on how great it is not to submit annoying feature requests, but to make software do what you want it to do.
Re:Important to Remember (Score:3, Insightful)
Two things:
1. Why aren't "days" enough to do proper testing? I agree that minutes aren't enough. And neither are hours usually, but there cases where I would argue that, depending on the kind of change, the testsuites and the QA requirements.
2. In OSS, most times a patch isn't released in the conventional meaning of t
More critical vulnerability in FreeBSD (Score:4, Interesting)
The TCP/IP stack can be stopped by sending unordered TCP fragments.
This is a serious remote vulnerability, and any FreeBSD with an open TCP port should be patched ASAP.
Here's a link to the official advisory
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisori
Regardless of the operating system you are running, always keep everything up to date.
Re:More critical vulnerability in FreeBSD (Score:3, Informative)
Not the way to make friends. (Score:2, Interesting)
My biggest grief, is him not releasing source code patches for genuine kernel.org kernels. If he's so good to release sploits, he's good enough to submit source code patches.
Robert
Date format (Score:5, Insightful)
OK time for me to tilt at a few windmills. Aside from the date being off by a year (the link quotes the date as 05-01-2004), is this supposed to be 1st of May or the 5th of January?
In an international forum and for clarity, ISO 8601 dates [cam.ac.uk]. Therefore: 2004-01-05.
Sorry for the rant, but I work for an international company, and have spent sizable parts of meetings trying to figure out which version of a document is "most recent", 2/3/04 or 3/2/04.
Re:Date format (Score:2)
03 May 2004
31 Jan 2005
03 Oct 2004
Even if you do those in another language, the meaning is still much clearer than 03/05/04
Michael
Can't agree more (Score:5, Insightful)
This, of course, is why nobody uses them.
*sigh*
As the evil dictator-like sysadmin, at work all my in-house intranet tools report ISO dates. I had a few people confused at first, but now it's the accepted format at work for things like archive directories (hundreds of directories named NN-NN-NN, NN.NN.NN or NNNNNN can get rather confusing - YYYY-MM-DD is so much easier).
Now, if only the
While we're at it, can we have the ISO paper sizes adopted by the few holdouts, too? (I only wish...)
Re:Can't agree more (Score:3, Funny)
(j/k)
if you patched two weeks ago, you can ignore this (Score:3, Informative)
Thank $DEITY I don't need to patch/reboot again. I was starting to get a bit annoyed at having to patch the kernel twice in two months. Scheduling reboots of machines in use by many people is no fun.
Re:if you patched two weeks ago, you can ignore th (Score:3, Informative)
Oh yes i know how to use /usr/bin/patch . But where is the patch itself? like linux-2.4.24-mremap.patch ? for instance
cat linux-2.4.24-mremap.patch | patch -p0
would do the job. However _where_ is the linux-2.4.24-mremap.patch to be found?
Robert
Patched in 2.6.3 apparently (Score:5, Informative)
[+] kernel 2.6.3 vulnerable: NO exploitable NO
There's also a patch to mremap listed in the 2.6.3 ChangeLog. So I don't know how "new" this bug is.
MS vs Linux debugging. (Score:5, Insightful)
What winds up happening is I pay MS to produce a product that I have very little input on. I buy the off the shelf solution to then develop 50% of the solution anyway. And, then it crashes, the documents are incorrect (updates might be available on their web sites), and I have no way of figuring out what the issues are without paying more $s for something I paid for already. If I tried to pull the same trick, I would loose my client.
Linux side is someone spots the issue, makes us aware of it in most cases. People have something more important than a paycheck at stake get to work on a fix for the problem. A, or multiple, potential fix(es) is(are) put up. Sometimes a fix goes straight in with minimal review (it works, most liked it), sometimes the fix gets kicked around to hash out any potential problems (in the full light of day, normally my apps do not break when the fix is rolled out.)
I like the public knowledge aspect of OSS. Yep, hackers have access to it also, but closed source never seemed to stop them, it just stop me from protecting myself.
Maybe we need to look at the next step for OSS? Maybe there is a better model for building OSS? Maybe companies might start providing more donations (like cheap lic fees) to a foundation that rewards freelance OSS programmers with cash for tackling certain problems (and does not pay until the code is peer reviewed and bug checked to a reasonable extent.) Maybe that would work better... Are certain organizations not starting to do that?
Given how much OSS has accomplished in the past decade with its relative lack of fees and "structure", imagine what might happen if more companies started using their proprietary source software budget to put bounties out on features they needed in OSS. True, not all features would they want to make public, but enough they would wat to so as to dramatically cut everyone's costs (GNU lic is important because of this). Most companies actually have very close to the same needs. But, their money goes to legal and marketing fees more than it seems to go to actual development fees with off the sheld software. What an economic waste! Check out John Nash [nobel.se] for a rather different rather OSS view of the world.
In the end, you are left with a decision. The programmers at MS are very bright. The programmers in OSS are very bright. The real difference is the perceived safety of being able to blame MS (who you can not hold responsible yet - name one successful law suit against MS for the failure of their software to function as advertised) versus the cost effectiveness of not paying for huge legal and marketing fees (as well as other corporate overhead having very little to do with getting better or more code). I am not against programmers getting paid. I am against sloth and leeches in a corporate setting destroying the market in which programmers get paid.
InnerWeb
Re:MS vs Linux debugging. (Score:4, Insightful)
Re:MS vs Linux debugging. (Score:3, Insightful)
Nobody claims that peer review results in code which is free of bugs or security problems. The claim is the peer review model results in less bugs and secu
Fixed on SUSE kernels??? (Score:3, Interesting)
I can't exploit this on my SUSE kernel. All I get (after many attempts) is:
[+] kernel 2.4.21-192-athlon vulnerable: YES exploitable YES
MMAP #65530 0x50bfa000 - 0x50bfb000 [-] Failed
Perhaps this hasn't gone completely unnoticed...
Does not compute. (Score:4, Interesting)
this vulnerability announcement is a month old (Score:5, Informative)
http://www.slackware.com/changelog/stable.php?c
"
Wed Feb 18 03:44:42 PST 2004
patches/kernels/: Recompiled to fix another bounds-checking error in
the kernel mremap() code. (this is not the same issue that was fixed
on Jan 6) This bug could be used by a local attacker to gain root
privileges. Sites should upgrade to a new kernel. After installing
the new kernel, be sure to run 'lilo'.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
Thanks to Paul Starzetz for finding and researching this issue.
(* Security fix *)
"
2.4.25 and 2.6.3 are NOT affected by this hole, and there is a patch for 2.4.24 which you can make yourself by diffing a vanilla 2.4.24 kernel with slackware 9.1's 2.4.24 kernel source package.
CmdrTaco, before you post another "announcement" like this, do your homework. last thing we need is more security disinformation surrounding linux.
Are we sure? (Score:3, Interesting)
Is this really a bug? [tinfoilhatmode] Is the advisory code correct? Or is this just so old that both 2.4 and 2.6 lines have it fixed already?
Tom
Re:Are we sure? (Score:4, Insightful)
Oh oh, I found a bug in Win 3.11... oh wait... that's an old release? Dang... Nobody will want to hear about that...
Tom
which are vulnerable (Score:5, Informative)
Here's the immediately pertinent part:
Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. The vulnerability may also lead to a denial-of-service attack on the available system memory.
Tested and known to be vulnerable kernel versions are all
So it looks like we've all got to update to the latest of respective trees. I guess the days of running a kernel for months on end are pretty much over.
-AC kernels not affected. (Score:3, Interesting)
Proof-of-Concept Code (Score:5, Interesting)
I have one kernel that is vulnerable but not exploitable according to the Proof-of-Concept code. Saves me some time to not patch, recompile and reboot a new kernel.
I wish future vulnerability announcements will be like this one. e.g. contain Proof-of-Concept exploit code that can tell me whether or not the kernel/software I am running is vulnerable and/or exploitable.
Public knowledge for over two weeks (Score:5, Interesting)
The advisory [www.isec.pl] was released Feb. 18, so this has all been public knowledge for over two weeks. This USENET post [google.com] shows the vulnerability and upcoming exploit was known about, and slashdot is just plain late on this one.
You have had two weeks to patch your systems. I know slackware's advisory [slackware.com] was sent right after the vulnerability became public knowledge.
Re:Which kernels are effected (Score:4, Informative)
Re:Which kernels are effected (Score:4, Informative)
- ide-scsi is deprecated for CD burners
- USB now relies on hotplug/libusb/whatnot
Jesus man, why don't you read the fucking 2.6 migration FAQ before posting bollocks?
Re:Which kernels are effected (Score:4, Funny)
Version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2.
No, these kernels are affected. My guess is that kernels 2.2.26, 2.4.25. and 2.6.3 will be effected. The effect of a vulnerability is usually a bugfix release, as an unpatched kernel negatively affects security.
Re:2.6.3? (Score:5, Interesting)
Apparently, only <= 2.6.2 is affected. How could this be fixed in 2.6.3 without anyone noticing that it might be a problem in earlier kernels?
i beg your pardon? (Score:5, Insightful)
Um, the source code for the *fix* is listed *in* the article (you didn't read it did you?)
i don't call posting fixed code and owning up to an exploitable coding error "covering up".
Re:i beg your pardon? (Score:2)
I did, the only thing which was posted was the source code for a exploit program. Not really what i would call a *fix*.
Robert
Re:Clueless lamer (Score:2)
Re:Here we go again (Score:5, Informative)
Do I laugh or do I cry? ...
Laugh, I would say. While both laughing and crying are versatile enough to be used regardless of whether it is a time of great happiness or great sadness, laughing is definitely more "out there".
just when I had finished compiling 2.4.25 on my systems..
Anyone who "just finished compiling" the latest release of their favorite kernel tree is all set (assuming the installed it), since this "new kernel vulnerability" is only new in the /. sense. I would think that people who are super-concerned about such things would recognize that in reading the bulletin.
Did I read the security bullentin correctly
No, you did not. :-( When it said...
2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
...you mistook the 2.2 for a 2.4 and thought that it effected your 2.4.25 kernel.
Re:Double standard? (Score:3, Insightful)
Are you being deliberately naive - to load a fixed kernel, it is required to load the fixed kernel, you do understand that, correct? However, for anything other than loading a new kernel, linux does not need to be rebooted, and that includes system lib updates, distribution upgrades etc.