[BlueOnyx:01098] Re: udev security vulnerability: RHSA-2009:0427-01 /CVE-2009-1185

[Darrell D. Mobley]

It will be interesting to see how long it takes us to get this on BQ.  Sigh.

> -----Original Message-----
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it]
> On Behalf Of Michael Stauber
> Sent: Saturday, April 18, 2009 9:42 PM
> To: Blueonyx at blueonyx.it
> Subject: [BlueOnyx:01093] udev security vulnerability: RHSA-2009:0427-01
> /CVE-2009-1185
> 
> Hi all,
> 
> Pretty much all major Linux distributions are affected by a vulnerability
> which allows a local attacker to gain root access by sending a specially
> crafted Netlink message sent to udev:
> 
> http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-
> cve.html
> 
> On Friday most of the affected Linux distributors released fixes,
> including
> RedHat:
> 
> http://linuxcompatible.org/RHSA-20090427-
> 01_Important_udev_security_update_p127899.html
> 
> However, CentOS (again) is taking some time and an updated "udev" RPM is
> not
> yet available on the CentOS YUM repository.
> 
> As this vulnerability is rated as critical I think it wouldn't be wise to
> wait
> for the CentOS guys to get into gear. Hence I built an updated udev RPM
> from
> the RedHat sources and released the following two RPMs to the BlueOnyx YUM
> repository:
> 
> udev-095-14.20.i386
> libvolume_id-095-14.20.i386
> 
> Everyone is encouraged to run "yum update" as soon as possible to protect
> against this vulnerability by installing these updates.
> 
> Sidenote: Virtual BlueOnyx users (Aventurin{e} / OpenVZ) are not affected
> by
> this, as "udev" is not installed.
> 
> --
> With best regards
> 
> Michael Stauber
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx