SecurityFocus: Linux kernel memory access vulnerabilities, exploit included to get you root account on stock kernels between 2.6.17 and 18.104.22.168. Web hosts responded — Holy !$#&!!! CentOS 5, Ubuntu Edgy-Gutsy, Debian Etch — all these Linux distributions are affected. Basically a local user can gain root access, and with help from vulnerable applications that allow executing arbitrary local code, a remote user might be able to take over the entire system.
It is great to see hosts taking security seriously (especially those providing SSH access to shared hosting accounts). Looking at my list of hosting accounts:
- SliceHost — not vulnerable as they run Linux 2.6.16.
- Linode — new kernel images created within 24 hours of security alert.
- VPSLink — can’t find any discussion on their forums. My VPS there was running 2.6.9 so it should be secure, but I heard there are servers running newer 2.6.18 kernels from OpenVZ.
- DreamHost — “What security issue? We are still running 2.4 kernels!”
- NearlyFreeSpeech — “What security issue? FreeBSD ftw!”
A bad bad week for Linux for sure. Time to press that panic button.