Re: [opensuse] Kernel Security Issue
Not to show my ignorance, but after reading the info about this exploit, just how would my system come under attack by it? Is it embedded in some malicious java code on a website or contained in an email message that I don't read anyway? Just how would an attacker use this kernel exploit on my system? Also, from the opensuse-security announcement: "Please note that these update channels contain "beta" quality updates, so are not recommended for production use systems. Only use the kernel." WTF does that mean? If I have a production machine, don't apply the fix? Fred -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Not to show my ignorance, but after reading the info about this exploit, just how would my system come under attack by it? Is it embedded in some malicious java code on a website or contained in an email message that I don't read anyway? Just how would an attacker use this kernel exploit on my system?
Also, from the opensuse-security announcement: "Please note that these update channels contain "beta" quality updates, so are not recommended for production use systems. Only use the kernel."
WTF does that mean? If I have a production machine, don't apply the fix?
Fred
Fred, For that exploit to work they would need to have local access to your machine and probably a compiler privileges. If you're tight on security you shouldn't be affected, make sure your /tmp is noexec, nosuid and your scripts (Perl, PHP, etc...) are not vulnerable to remote file inclusion exploits.
WTF does that mean? If I have a production machine, don't apply the fix? That just means you're on your own until it reaches updates channel and you can't bug novell if something goes wrong. Any beta product is not recommended for production use due to lack of testing, but I've seen many beta applications working in very large production systems.
-- Best regards, Nick Zeljkovic -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Stevens wrote:
Not to show my ignorance, but after reading the info about this exploit, just how would my system come under attack by it? Is it embedded in some malicious java code on a website or contained in an email message that I don't read anyway? Just how would an attacker use this kernel exploit on my system?
Someone has to get the code onto your system, and then run it. If you do NOT have other people logging onto the system, then the exploit by itself is not a threat -- it MUST be combined with one or more other exploits to: 1) get it onto your system 2) execute it.
Also, from the opensuse-security announcement: "Please note that these update channels contain "beta" quality updates, so are not recommended for production use systems. Only use the kernel."
WTF does that mean? If I have a production machine, don't apply the fix?
In general, I wouldn't, no. POSSIBLY for a multi-user machine on which people are logging in and using a shell or GUI, in undergraduate students or younger are users, I would upgrade the kernel. But in general, no, especially for business. I'll trust employees more than a "beta" patch. Better quality fixes will be available shortly.
Fred
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-02-11 at 11:35 -0600, Stevens wrote: ...
Also, from the opensuse-security announcement: "Please note that these update channels contain "beta" quality updates, so are not recommended for production use systems. Only use the kernel."
WTF does that mean? If I have a production machine, don't apply the fix?
You were reading the advance notice they gave on Monday, that they had a fixed kernel, would be testing it, and thus it was marked beta. On Tuesday they pushed the "real" update to the normal YOU update servers, which is the one you should normally be using for production. On the other hand, if you felt your machine was at risk for that exploit, and you estimate that the risk of the exploit is greater than the risk of using a bets kernel, then by all means, install it. It just a typical day admin decision ;-p P.S.: You can ask about security announces in the security list, too. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHsliPtTMYHG2NR9URAkfZAKCTVin58TiUOqKXFGMORvcuNGFayACfRIR6 aE77fRpgkOlU19c18Xbzvic= =Y8Ed -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Aaron Kulkis
-
Carlos E. R.
-
Nick Zeljkovic
-
Stevens