Stories
Slash Boxes
Comments

SoylentNews is people

Linux Kernel Hole Reported: CVE-2019-11811

posted by martyb on Monday July 22 2019, @05:58PM   Printer-friendly
from the ALL-kernels-affected dept.

An Anonymous Coward writes:

https://www.securityfocus.com/bid/108410

From the RedHat bug discussion:

https://bugzilla.redhat.com/show_bug.cgi?id=1709180

A flaw was found in the Linux kernels implementation of IPMI (remote baseband access) where an attacker with local access to read /proc/ioports may be able to create a use-after-free condition when the kernel module is unloaded. The use after-free condition may result in privilege escalation. Investigation is ongoing.

See https://security-tracker.debian.org/tracker/CVE-2019-11811 for a lot of other distro links (the Source section at the top).

Original Submission

 
This discussion has been archived. No new comments can be posted.
Linux Kernel Hole Reported: CVE-2019-11811 | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by The Shire on Monday July 22 2019, @07:51PM

    by The Shire (5824) on Monday July 22 2019, @07:51PM (#870046)

    It totally has, no need to look it up. But that's the exception to the rule - it's really rare. And you can manually reverse out a patch like that very quickly.

    The difference of course is your exposure time is vastly reduced when you maintain a regular patch schedule. Debian for example is very fast to get security patches out so if you maintain an up to date kernel and ancillary packages your exposure is at most a few hours and that assumes you aren't manually patching even sooner. Your odds of staying "safe" are greatly improved by simply keeping your crap up to date.

    By the time that exim zero day made the news all the systems under my control had already self patched. It's the folks who manually patch and subsequently forget to do it that get bitten in the ass. Botnets are made of all the orphaned servers that IT has forgotten about.

    So yea, I'm perfectly happy letting everything patch constantly. It's rare that a service needs to be restarted and even more rare that a server itself needs a restart. And in a cluster, having machines performed staggered restarts doesn't even impact the production environment they run in.

    Really no good reason not to perform continuous patching.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=1, Informative=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5