Linux Users Face Risk From Kernel Vulnerability - page 2
Stubborn Kernel Flaw
However, most Linux users do not get their Linux kernel's from Torvalds's kernel branch. Rather, individual Linux distributions package their own versions of the Linux kernel, based on that original kernel.
"Updated kernel packages for Fedora 12 and 13 will soon be available from the updates testing repositories, and will be released as stable after being tested," Mark Cox, director of security response at Red Hat, told InternetNews.com. "Packages for Red Hat Enterprise Linux are being worked on and will be released as soon as they are complete."
"In this specific case, the upstream patch was discussed between the kernel security team and the various Linux vendor security teams in advance," Red Hat's Cox said. "The right patch took several iterations, and a final version was not created until Aug. 13, with a few regression fixes on the days following."
Cox added that Red Hat's process involves backporting the patches from the mainline kernel to the kernel versions in Red Hat Enterprise Linux (RHEL). In addition, he noted that Red Hat performs significant testing on the company's RHEL kernels, and this process takes more than a few days.
Novell said in a statement to InternetNews.com that the security hole has generally been fixed in kernels provided by Novell since 2004, and that SUSE Linux Enterprise 9, SUSE Linux Enterprise 11 and openSUSE are not affected.
However, Novell noted that SUSE Linux Enterprise 10 Service Pack 3 is still vulnerable to the flaw, and that it's currently preparing a fix to resolve this issue.
Spokespeople for Ubuntu Linux, by way of its lead commercial sponsor, Canonical, were not available for comment by press time.
Though the flaw has been in Linux for years, neither Novell nor Red Hat believe that their users were ever at risk.
"The reporter provided a private reproducer that could allow a user local to a machine to escalate their privileges to root. However, we've not seen any reports of exploitation of this issue to date," Cox said.