| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: adamsc at gmail.com (Chris Adams) Subject: !SPAM! Automated ssh scanning On Sat, 28 Aug 2004 00:40:32 +0200, Robert Jaroszuk <zim@...pl> wrote: > I have checked today dist-upgraded debian sarge, with *default* kernel > (2.4.18-bf2.4), and it is still *vulnerable* to do_brk, kmod, and > ptrace exploits. > > This kernel seems to be *not* patched since 2002. This raises a very good question - why are known-insecure kernels still being officially distributed? If you use stable you'll get a 2002 binary if you chose "kernel-image-2.4.18-686" but a secure kernel if you chose "kernel-image-2.4.18-1-686" instead - quite a difference from a seeming insignificant version number change. It's hard to think of a scenario where it wouldn't be preferable to pull the bad packages or at least include a prominent "Your system has a major security hole" warning and a suggestion that you install the patched kernel instead. This has definitely improved in sarge where you have the "kernel-image-2.4-686" and "kernel-image-2.6-686" packages with dependencies tracking the current kernel, making the easy choice the secure one as well. Chris
Powered by blists - more mailing lists