Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-1011-1 kernel-patch-vserver -- missing attribute support

Related Vulnerabilities: CVE-2005-4347   CVE-2005-4418  

Several vulnerabilities have been discovered in the Debian vserver support for Linux. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-4347 Bjørn Steinbrink discovered that the chroot barrier is not set correctly with util-vserver which may result in unauthorised escapes from a vserver to the host system. This vulnerability is limited to the 2.4 kernel patch included in kernel-patch-vserver. The correction to this problem requires updating the util-vserver package as well and installing a new kernel built from the updated kernel-patch-vserver package. CVE-2005-4418 The default policy of util-vserver is set to trust all unknown capabilities instead of considering them as insecure. The old stable distribution (woody) does not contain a kernel-patch-vserver package. For the stable distribution (sarge) this problem has been fixed in version 1.9.5.5 of kernel-patch-vserver and in version 0.30.204-5sarge3 of util-vserver. For the unstable distribution (sid) this problem has been fixed in version 2.3 of kernel-patch-vserver and in version 0.30.208-1 of util-vserver. We recommend that you upgrade your util-vserver and kernel-patch-vserver packages and build a new kernel immediately.

Source

Debian Security Advisory

DSA-1011-1 kernel-patch-vserver -- missing attribute support

Date Reported:
21 Mar 2005
Affected Packages:
kernel-patch-vserver, util-vserver
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 329087, Bug 329090.
In Mitre's CVE dictionary: CVE-2005-4347, CVE-2005-4418.
More information:

Several vulnerabilities have been discovered in the Debian vserver support for Linux. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2005-4347

    Bjørn Steinbrink discovered that the chroot barrier is not set correctly with util-vserver which may result in unauthorised escapes from a vserver to the host system.

    This vulnerability is limited to the 2.4 kernel patch included in kernel-patch-vserver. The correction to this problem requires updating the util-vserver package as well and installing a new kernel built from the updated kernel-patch-vserver package.

  • CVE-2005-4418

    The default policy of util-vserver is set to trust all unknown capabilities instead of considering them as insecure.

The old stable distribution (woody) does not contain a kernel-patch-vserver package.

For the stable distribution (sarge) this problem has been fixed in version 1.9.5.5 of kernel-patch-vserver and in version 0.30.204-5sarge3 of util-vserver.

For the unstable distribution (sid) this problem has been fixed in version 2.3 of kernel-patch-vserver and in version 0.30.208-1 of util-vserver.

We recommend that you upgrade your util-vserver and kernel-patch-vserver packages and build a new kernel immediately.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:
http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5.dsc
http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5.tar.gz
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3.dsc
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3.diff.gz
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/k/kernel-patch-vserver/kernel-patch-vserver_1.9.5.5_all.deb
Alpha:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_amd64.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_ia64.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/u/util-vserver/util-vserver_0.30.204-5sarge3_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started