September 29, 2009
A vulnerability in certain versions of the Linux kernel allows local users to gain privilege. In response, EC2 has released patched 2.6.18 and 2.6.21 kernels (AKI) and ramdisks (ARI). We suggest that EC2 users update their AMIs and relaunch their affected instances to take advantage of the patched kernels.
Detailed information about the vulnerability and patch are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 Note that this vulnerability affects all Linux kernels 2.6.0 through 2.6.30.4 unless patched.
2.6.21 kernels are available as:
US Region:
32-bit:
- aki-6eaa4907
- ari-e7dc3c8e
- ami-48aa4921
64-bit:
- aki-a3d737ca
- ari-4fdf3f26
- ami-f61dfd9f
EU Region:
32-bit:
- aki-02486376
- ari-aa6348de
- ami-0a48637e
64-bit:
- aki-f2634886
- ari-a06348d4
- ami-927a51e6
The appropriate modules are in ec2-downloads and the full source is here: http://ec2-downloads.s3.amazonaws.com/linux-2.6.21.7-2.fc8xen-ec2-v1.0-src.tgz
2.6.18 kernels are available as:
US region:
32-bit:
- aki-f5c1219c
- ari-dbc121b2
64-bit:
- aki-e5c1218c
- ari-e3c1218a
EU region:
32-bit:
- aki-966a41e2
- ari-906a41e4
64-bit:
- aki-aa6a41de
- ari-946a41e0
The appropriate modules are in ec2-downloads and the full source is here: http://ec2-downloads.s3.amazonaws.com/xen-3.1.0-src-ec2-v1.2.tgz