 |
 |
| ActiveWin | Anonymous | Create a User | Reviews | News | Forums | Advertise | VBA in Excel | Users Online: 0 |
|
|
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
Active Network |
|
ActiveMac |
|
ActiveWin |
|
ActiveXbox |
|
DirectX |
|
Downloads |
|
FAQs |
|
Interviews |
|
MS Games & Hardware |
|
Reviews |
|
Rocky Bytes |
|
Support Center |
|
TopTechTips |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows Vista |
|
Windows XP |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
Apple/Mac |
|
Xbox/Xbox 360 |
|
News Search |
|
XML/RSS Newsfeeds |
|
Pocket PC Site |
|
|
|
|
|
|
|
FAQ's |
|
Windows Vista |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows Server 2003 |
|
Windows XP |
|
Windows 7 |
|
Windows 8 |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox 360 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
Latest Reviews |
|
Xbox/Games |
|
Fable 2 |
|
|
|
Applications |
|
Windows Server 2008 R2 |
|
Windows 7 |
|
Adobe CS5 Master Collection |
|
|
|
Hardware |
|
Microsoft Express Mouse |
|
|
|
|
|
|
|
Latest Interviews |
|
Mike Swanson |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Advertise |
|
Affiliates |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
 |
Serious Linux Security Flaw Found | |
|
||
| Time: 14:28 EST/19:28 GMT | News Source: IDG | Posted By: Robert Stein | ||
|
The bug affects versions of the Linux kernel prior to 2.4.23, and was the method used during a recent attack on Debian's servers, according to the advisory. In that attack four Linux servers that hosted Debian's bug tracking system, mailing lists, and various Web pages were compromised. |
||
|
Read Only Comments Return to News |
Displaying Comments 1 through 5 of 5 |
This is an archived static copy of ActiveWin.com. |
| #1 By 16451 (63.227.226.13) at Tuesday, December 02, 2003 05:05:03 PM |
|
#1 >>> I love the contradictory claim
The claim is not contradictory at all. The first statement applies to the availability of the source code patch for a single specific distro. The second statement applies to the binary distribution of patches for several distros. This post was edited by RH7.3 on Tuesday, December 02, 2003 at 17:05. |
| #2 By 10022 (24.169.19.69) at Tuesday, December 02, 2003 07:03:13 PM |
|
as Nelson Muntz would say: HA HA
so if you dont apply linux patches then you're vulnerable... very interesting... |
| #3 By 16451 (65.19.17.100) at Tuesday, December 02, 2003 11:12:01 PM |
|
#11 >>> So ... why the slow service in fixing all of the other versions
Explained here: http://linuxtoday.com/security/2003120202726SCDBSV |
| #4 By 12071 (203.217.16.60) at Wednesday, December 03, 2003 05:02:55 AM |
|
#16 "60+ days to fix it?"
No, it was fixed on the 28th of September, it just wasn't propagated through earlier versions. So it was fixed 52 days before Debian was compromised. The reason it wasn't immediately applied to earlier version is explained in the article: "Even though this kernel bug was discovered in September by Andrew Morton and already fixed in recent pre-release kernels since October, its security implication wasn't considered that severe. Hence, no security advisories were issued by any vendor. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem. It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403." There's also the issue of keeping patches in test kernels separate - although I'm sure that they have learnt from this and in the future will hopefully automatically put out a security advisory. "Can you say "Security By Obscurity" doesn't work?" Where was the obscurity? It was noted that this bug exists, it was fixed and the full patch and source code was available since September.... where do you figure the obscurity was? The security problem here was the underestimation of this bug whereby it wasn't deemed important enough to immediately release a patch for. After all, what's to say that the person who compromised Debian didn't get the idea to attack this bug after seeing the notes about it and the fix itself? Sure, whinge about security (which you will anyway) but there's no obscurity here - that's Microsoft's domain! "Or was Linus was planning an OS X type "Upgrade or else" security patch?" Get over it, grow up, whatever it takes. No Linus won't charge you $129 to get the patch - if you have an issue with Apple, take it up with them rather than repeating your whinging! "How many other kernel patches are being held back for no good reason?" Go through the release notes! If there's bugs that have been fixed in test kernels then you'll have all the information there - what you won't find is the reasons why certain bugs haven't been patched for earlier versions, and those reasons could be like in this case where the bug isn't deemed sever enough (which is dangerous to assume!) or perhaps they are incompatible for whatever reason. |
| #5 By 20 (24.173.210.58) at Wednesday, December 03, 2003 11:36:08 AM |
|
Even though this kernel bug was discovered in September by Andrew Morton and already fixed in recent pre-release kernels since October, its security implication wasn't considered that severe. Hence, no security advisories were issued by any vendor. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem. It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403.
How many other bugs are known about but "[aren't] considered that severe. Hence, no security advisories were issued by any vendor"? What the hell kind of policy is that? Why are vendors determining whether or not they should release it. ALL vulnerabilities should be released immediately to let people manage risk appropriately. THAT IS SECURITY THROUGH OBSCURITY. If MS pulled that stunt, they'd be crucified and indeed they have in the past and they do by hypocritical Penguinistas. The fact is, Linux is being forced to grow up and play with the big boys and it can't get away with the lies that it's more secure. So in order to try to stretch the lies further, they obscure the truth and hide the skeletons in the closet. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem Holy crap! Only after a vulnerabilities is discovered exploited do they release an advisory about it? Very disconcerting. Note to self: Never use Linux when you want to try to manage security risks. (Edit: Typos) This post was edited by daz on Wednesday, December 03, 2003 at 11:53. |
