* r.maurizzi@digitalpha.it (r.maurizzi@digitalpha.it) [030923 10:38]:

Did you read the announce? It seems to me you have not.

See http://www.securitytracker.com/alerts/2003/Sep/1007721.html

Well, here is another URL at ya. :P http://www.kde.org/info/security/advisory-20030916-1.txt Notice the date on the file. And I would have had no reason to go digging for any KDM issues what so ever since I personally think it's a waste of resources..I am quite capable of typing startx. And this would beg the question ..If SuSE was aware of the issue as far back as the announce list email you've pointed me to would seem to indicate then why wouldn't someone just post that this doesn't effect SuSE users since they've fixed it. So far ..silence. Adrian told me in an email off this list that there would be 3.1.4 pkgs soon to address some problems. I took this as the security issue and the missing kcsd and kio plugins. I'm sorry I didn't share the private email with you personally but since I don't even recognize your email from the list ..I didn't think it mattered. I spoke from a position of talking to the man himself, so I was confident that I was speaking out of my ass. I might have been but as far I know ..I wasn't.

...

It is reported that with a certain configuration of the MIT pam_krb5 module, a pam_setcred() call may fail while leaving the session alive when a remote authenticated user connects, thereby granting root access to the remote authenticated user (CVE: CAN-2003-0690).

The situation is that: - SuSE do not have KMD listening on the network unless you enable it

I don't use the POS resource hog..so my concern was for others. I guess I'm just selfless when it comes to this. ;)

- SuSE do not have pam_krb5 installed or configured

Doesn't matter the vulnerability exists in the packages that they shipped. So a fix being put out can not be argued about.

- the number of Linux boxes connected to the net that let in users using X11/XDCMP is near zero, due to the inefficiency of the protocol

And how would you know this. Do you statistics to back up your assertion? Or would you just be stating an opinion? Do you know every Linux user personally and do you do scans of all ip networks? I think not. Whether the protocol is inefficient or not..it's in wide enough use that the vulnerability was announced..you don't see to many telnet bugs being announced loudly..because having telnet open on public facing machines when other methods exist is stupid and would just garnish ridicule.

- if you really *ARE* in that kind of situation (public X server with kerberos support on a fast public lan) you can always use another XDM for a few days

I'm not in any kind of situation with KDM or any other GUI login manager because they are a waste in my opinion but as I said earlier I'm more worried about those who don't work like I do or think as I do.

Then, why do you think this is an _important_ security upgrade?

Security is security..one doesn't pick and choose. If it has the ability to be problem then it should be fixed. Period. The picking and choosing of what security issues to address would be the cause of the constant messages that I see scrolling in my tail window...so many so that I might as well not even tail my procmail or fetchmail logs because the firewall log just shoves them past to fast. The way your portraying how security is thought of is why we have so much background noise on the Internet today. It's called erroring on the side of caution. -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org ----- If two men agree on everything, you can be sure that only one of them is doing the thinking.