The Active Network
ActiveWin Anonymous | Create a User | Reviews | News | Forums | Advertise | Career Portal | VBA in Excel | Users Online: 158  
 

Recommended Links:

robe dentelle

Now, you can buy real Instagram followers.

AWBridal Highly Recommend Wedding & Bridesmaid Dress Online Store

light tower

buy arabic Twitter follower

buy spotify real followers

A great website to buy Facebook followers from is BRSM. They have a great track record!

the Binary Option Robot

Get Windows Tablet & Phones at DHgate.com

neowin.net

Amazon.com

  *  

  Serious Linux Security Flaw Found
Time: 14:28 EST/19:28 GMT | News Source: IDG | Posted By: Robert Stein

The bug affects versions of the Linux kernel prior to 2.4.23, and was the method used during a recent attack on Debian's servers, according to the advisory. In that attack four Linux servers that hosted Debian's bug tracking system, mailing lists, and various Web pages were compromised.

Write Comment
Return to News

  Displaying Comments 1 through 5 of 5
  The time now is 8:11:32 PM ET.
Any comment problems or spammers? E-mail us
Spammers: Your posts will be deleted - do not waste your time!
#1 By 16451 (63.227.226.13) at 12/2/2003 5:05:03 PM
#1 >>> I love the contradictory claim

The claim is not contradictory at all. The first statement applies to the availability of the source code patch for a single specific distro. The second statement applies to the binary distribution of patches for several distros.

This post was edited by RH7.3 on Tuesday, December 02, 2003 at 17:05.

#2 By 10022 (24.169.19.69) at 12/2/2003 7:03:13 PM
as Nelson Muntz would say: HA HA

so if you dont apply linux patches then you're vulnerable... very interesting...

#3 By 16451 (65.19.17.100) at 12/2/2003 11:12:01 PM
#11 >>> So ... why the slow service in fixing all of the other versions

Explained here: http://linuxtoday.com/security/2003120202726SCDBSV

#4 By 12071 (203.217.16.60) at 12/3/2003 5:02:55 AM
#16 "60+ days to fix it?"
No, it was fixed on the 28th of September, it just wasn't propagated through earlier versions. So it was fixed 52 days before Debian was compromised. The reason it wasn't immediately applied to earlier version is explained in the article:

"Even though this kernel bug was discovered in September by Andrew Morton and already fixed in recent pre-release kernels since October, its security implication wasn't considered that severe. Hence, no security advisories were issued by any vendor. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem. It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403."

There's also the issue of keeping patches in test kernels separate - although I'm sure that they have learnt from this and in the future will hopefully automatically put out a security advisory.

"Can you say "Security By Obscurity" doesn't work?"
Where was the obscurity? It was noted that this bug exists, it was fixed and the full patch and source code was available since September.... where do you figure the obscurity was? The security problem here was the underestimation of this bug whereby it wasn't deemed important enough to immediately release a patch for. After all, what's to say that the person who compromised Debian didn't get the idea to attack this bug after seeing the notes about it and the fix itself? Sure, whinge about security (which you will anyway) but there's no obscurity here - that's Microsoft's domain!

"Or was Linus was planning an OS X type "Upgrade or else" security patch?"
Get over it, grow up, whatever it takes. No Linus won't charge you $129 to get the patch - if you have an issue with Apple, take it up with them rather than repeating your whinging!

"How many other kernel patches are being held back for no good reason?"
Go through the release notes! If there's bugs that have been fixed in test kernels then you'll have all the information there - what you won't find is the reasons why certain bugs haven't been patched for earlier versions, and those reasons could be like in this case where the bug isn't deemed sever enough (which is dangerous to assume!) or perhaps they are incompatible for whatever reason.

#5 By 20 (24.173.210.58) at 12/3/2003 11:36:08 AM
Even though this kernel bug was discovered in September by Andrew Morton and already fixed in recent pre-release kernels since October, its security implication wasn't considered that severe. Hence, no security advisories were issued by any vendor. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem. It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403.

How many other bugs are known about but "[aren't] considered that severe. Hence, no security advisories were issued by any vendor"?

What the hell kind of policy is that? Why are vendors determining whether or not they should release it. ALL vulnerabilities should be released immediately to let people manage risk appropriately.

THAT IS SECURITY THROUGH OBSCURITY. If MS pulled that stunt, they'd be crucified and indeed they have in the past and they do by hypocritical Penguinistas.

The fact is, Linux is being forced to grow up and play with the big boys and it can't get away with the lies that it's more secure. So in order to try to stretch the lies further, they obscure the truth and hide the skeletons in the closet.

However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem

Holy crap! Only after a vulnerabilities is discovered exploited do they release an advisory about it? Very disconcerting.

Note to self: Never use Linux when you want to try to manage security risks.

(Edit: Typos)

This post was edited by daz on Wednesday, December 03, 2003 at 11:53.

Write A Comment [Anonymous]
Please Enter Your User Name & Password: Or Sign Up For A New User Name


Notes:

[b][/b] Bold
[i][/i] Italics
[u][/u] Underline
Hyperlinks are added automatically, there is no need to add HTML code.

Write Comment
Return to News
  Displaying Comments 1 through 5 of 5
  The time now is 8:11:32 PM ET.
Any comment problems or spammers? E-mail us
Spammers: Your posts will be deleted - do not waste your time!
Please Enter Your User name and password:

Sign Up For A User Name

 

  *  
  *   *
 
replica watches