The latest stable release of Linux kernel is version 2.6.16.4, released on April 11, 2006. The change log are located here.

According to sources from Security Lab, there is a major security issue arising from Linux machines running kernel 2.6.x, resulting in local DoS (Denial-of-Services) vulnerability.

The problem is as described as from the article:
The problem lies in sys_timer_create() in Linux/kernel/posix-timers.c. Each time user creates a posix timer, some kernel memory is allocated. Since count of timers that can be created by user is limited only by sigqueue size (ex. 4294967295 in Debian) every local user can exhaust all avaible memory which will trigger oom_killer (mm/oom_kill.c). If a process itself uses a small amount of memory, it’s oom_score will be low, so all other processes would be killed.

The change log from Linux kernel version 2.6.16.3 was noted to consist of a single patch for what appears initially to be an issue in the key management code. The 4th stable release, 2.6.16.4, patches the RCU signal handling.

This entry was posted on Wednesday, April 12th, 2006 at 4:41 am and is filed under Development Software, Linux, Site News . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.