| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Serious Linux Security Flaw Found | |
|
||
| Time: 14:28 EST/19:28 GMT | News Source: IDG | Posted By: Robert Stein | ||
|
The bug affects versions of the Linux kernel prior to 2.4.23, and was the method used during a recent attack on Debian's servers, according to the advisory. In that attack four Linux servers that hosted Debian's bug tracking system, mailing lists, and various Web pages were compromised. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 309 Last | Next |
The time now is
10:33:40 AM
ET.
Any comment problems? E-mail us |
| #1 By 16451 (63.227.226.13) at 12/2/2003 5:05:03 PM |
|
#1 >>> I love the contradictory claim
The claim is not contradictory at all. The first statement applies to the availability of the source code patch for a single specific distro. The second statement applies to the binary distribution of patches for several distros. This post was edited by RH7.3 on Tuesday, December 02, 2003 at 17:05. |
| #2 By 10022 (24.169.19.69) at 12/2/2003 7:03:13 PM |
|
as Nelson Muntz would say: HA HA
so if you dont apply linux patches then you're vulnerable... very interesting... |
| #3 By 16451 (65.19.17.100) at 12/2/2003 11:12:01 PM |
|
#11 >>> So ... why the slow service in fixing all of the other versions
Explained here: http://linuxtoday.com/security/2003120202726SCDBSV |
| #4 By 12071 (203.217.16.60) at 12/3/2003 5:02:55 AM |
|
#16 "60+ days to fix it?"
No, it was fixed on the 28th of September, it just wasn't propagated through earlier versions. So it was fixed 52 days before Debian was compromised. The reason it wasn't immediately applied to earlier version is explained in the article: "Even though this kernel bug was discovered in September by Andrew Morton and already fixed in recent pre-release kernels since October, its security implication wasn't considered that severe. Hence, no security advisories were issued by any vendor. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem. It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403." There's also the issue of keeping patches in test kernels separate - although I'm sure that they have learnt from this and in the future will hopefully automatically put out a security advisory. "Can you say "Security By Obscurity" doesn't work?" Where was the obscurity? It was noted that this bug exists, it was fixed and the full patch and source code was available since September.... where do you figure the obscurity was? The security problem here was the underestimation of this bug whereby it wasn't deemed important enough to immediately release a patch for. After all, what's to say that the person who compromised Debian didn't get the idea to attack this bug after seeing the notes about it and the fix itself? Sure, whinge about security (which you will anyway) but there's no obscurity here - that's Microsoft's domain! "Or was Linus was planning an OS X type "Upgrade or else" security patch?" Get over it, grow up, whatever it takes. No Linus won't charge you $129 to get the patch - if you have an issue with Apple, take it up with them rather than repeating your whinging! "How many other kernel patches are being held back for no good reason?" Go through the release notes! If there's bugs that have been fixed in test kernels then you'll have all the information there - what you won't find is the reasons why certain bugs haven't been patched for earlier versions, and those reasons could be like in this case where the bug isn't deemed sever enough (which is dangerous to assume!) or perhaps they are incompatible for whatever reason. |
| #5 By 20 (24.173.210.58) at 12/3/2003 11:36:08 AM |
|
Even though this kernel bug was discovered in September by Andrew Morton and already fixed in recent pre-release kernels since October, its security implication wasn't considered that severe. Hence, no security advisories were issued by any vendor. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem. It is fixed in Linux 2.4.23 which was released last weekend and in the Debian advisory DSA 403.
How many other bugs are known about but "[aren't] considered that severe. Hence, no security advisories were issued by any vendor"? What the hell kind of policy is that? Why are vendors determining whether or not they should release it. ALL vulnerabilities should be released immediately to let people manage risk appropriately. THAT IS SECURITY THROUGH OBSCURITY. If MS pulled that stunt, they'd be crucified and indeed they have in the past and they do by hypocritical Penguinistas. The fact is, Linux is being forced to grow up and play with the big boys and it can't get away with the lies that it's more secure. So in order to try to stretch the lies further, they obscure the truth and hide the skeletons in the closet. However, after it was discovered to be used as a local root exploit the Common Vulnerabilities and Exposures project has assigned CAN-2003-0961 to this problem Holy crap! Only after a vulnerabilities is discovered exploited do they release an advisory about it? Very disconcerting. Note to self: Never use Linux when you want to try to manage security risks. (Edit: Typos) This post was edited by daz on Wednesday, December 03, 2003 at 11:53. |
|
Write Comment
Return to News |
Displaying 1 through 25 of 309 Last | Next |
The time now is
10:33:40 AM
ET.
Any comment problems? E-mail us |
