A series of recently announced security flaws open Linux and related technologies to attacks ranging from denials of service and local exploits to the potential for remote system compromise. Senior Linux developer Alan Cox announced a set of "race conditions" in the Linux kernel that were fixed in Version 2.6.9. The problems are in the terminal subsystem. Patches are also available for the 2.4x kernel, but not the 2.2 kernel.
Cox reports two problems, the first involving a local program performing specific operations with a particular timing, resulting in crashes and "other undefined behavior," including the release of small amounts of random kernel data. The second attack involves dial-up users connecting over PPP (point-to-point protocol) ports and performing a console switch at precisely the right time, causing a crash. The second attack can only be reproduced over direct serial lines, not modems, leading Cox to minimize the possibility of a true remote attack.
News source: eWeek