lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: adamsc at gmail.com (Chris Adams)
Subject: !SPAM! Automated ssh scanning

On Sat, 28 Aug 2004 00:40:32 +0200, Robert Jaroszuk <zim@...pl> wrote:
> I have checked today dist-upgraded debian sarge, with *default* kernel
> (2.4.18-bf2.4), and it is still *vulnerable* to do_brk, kmod, and
> ptrace exploits.
> 
> This kernel seems to be *not* patched since 2002.

This raises a very good question - why are known-insecure kernels
still being officially distributed? If you use stable you'll get a
2002 binary if you chose "kernel-image-2.4.18-686" but a secure kernel
if you chose "kernel-image-2.4.18-1-686" instead - quite a difference
from a seeming insignificant version number change. It's hard to think
of a scenario where it wouldn't be preferable to pull the bad packages
or at least include a prominent "Your system has a major security
hole" warning and a suggestion that you install the patched kernel
instead.

This has definitely improved in sarge where you have the
"kernel-image-2.4-686" and "kernel-image-2.6-686" packages with
dependencies tracking the current kernel, making the easy choice the
secure one as well.

Chris


Powered by blists - more mailing lists