From: Warren Togami (warren_at_togami.com)
Date: Sat 07 Feb 2004 - 09:55:06 GMT
> Hello Folks!
> because the last security fix for the chmod()/chroot()
> issue was a little too fast, and a little too secure
> for some distros (debian was mentioned), this release
> restricts the security to the 'important' parts, the
> vserver directory.
> this is done in the following way:
> the chroot() 000 barrier is unaffected and unchanged,
> but in addition to that, a barrier with IUNLINK set
> can not be changed (chmod()), so the exploit isn't
> possible on such a secured system.
> What you have to do, after applying that patch?
> chmod 000 /vservers
> chattr +t -d /vservers
> all-in-one and broken out patches for 2.4.24 as well
> as incremental patches are available at
> a temporary fix for the chmod()/chroot() exploit is
> to make the vserver directory immutable, but that
> will affect vserver creation and destruction in
> various ways, so an upgrade is advised.
In the future could you please post GPG signed .asc signatures along with
each release as part of standard release practice? Perhaps a link to the
.asc file on your page too?
It would really save me a lot of time because otherwise I need to manually
read diffs in order to guard against even the slightest possibility of
trojaned sources on a compromised site.
Vserver mailing list