Couple of questions to 'clear things up' I hope
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ya gang, I'm in a kinda heated discussion with someone in another NG about the MySQL vulnerability. He's saying that up to and including the version in SuSE 8.2 (3.23.55 -14) is still the vulnerable version(s). He's put up some URL's that show it's only a *candidate* (at least that's how I read it), but not fully acknowledged yet as 'vulnerable'. So if anyone here knows better, *is* the version in 8.2 vulnerable? Also, he's saying that the 'kernel vulnerability' in 2.4.20 will affect *all* linux distros that use it. I say that by each distro doing it's own 'patching' of kernels doesn't necessarily mean it's 'vulnerable' in *every* distro. I'm probably and will easily admit it, but I figured I'd find out from other sources (you guys) first, since I don't wqant to take the word of one person only...him. My argument is, that since I've not seen or heard of either of these vulnerabilities in SuSE 8.2, and that if they *were* affecting 8.2, SuSE is *very fast* to make the announcements along with workarounds and/or a patch or updated rpm of <whatever>. One last thing (it's an argument covering a lot of areas, heh), he's also saying that SuSE is 'meager' in its support of applications. He says Debian supports 8000 apps to SuSE's 2000...is this true also? He said 8000 are on the Debian CD's, I argued, that though there's may not be 8000 on the SuSE CD's/DVD's, that doesn't mean the apps won't work in SuSE, that he's just using a poor argument to say how Debian is 'better' overall (I personally don't think any one distro of Linux is 'better' or 'worse' than another, because it's *all* Linux, but this guys started to put down SuSE with a lot of unfounded garbage and I stepped up to defend the 'unfounded' part, not jusy SuSE). So...am I really way off base and throwing mud in my own face with my arguments against this guy? Opinions anyone? John - -- A butterfly is: Pretty,soft,harmless...and useless, just like M$N. My Penguin and my Gecko eat butterflies. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+zOGJH5oDXyLKXKQRAk4CAJ0SBmPhxaMmMNkUl0P0PMcaQJkYWQCgpBs5 QRcwVoeZUERlqNbQ+ewZKPg= =aOjK -----END PGP SIGNATURE-----
John wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi ya gang,
I'm in a kinda heated discussion with someone in another NG about the MySQL vulnerability. He's saying that up to and including the version in SuSE 8.2 (3.23.55 -14) is still the vulnerable version(s). He's put up some URL's that show it's only a *candidate* (at least that's how I read it), but not fully acknowledged yet as 'vulnerable'. So if anyone here knows better, *is* the version in 8.2 vulnerable? Also, he's saying that the 'kernel vulnerability' in 2.4.20 will affect *all* linux distros that use it. I say that by each distro doing it's own 'patching' of kernels doesn't necessarily mean it's 'vulnerable' in *every* distro. I'm probably and will easily admit it, but I figured I'd find out from other sources (you guys) first, since I don't wqant to take the word of one person only...him. My argument is, that since I've not seen or heard of either of these vulnerabilities in SuSE 8.2, and that if they *were* affecting 8.2, SuSE is *very fast* to make the announcements along with workarounds and/or a patch or updated rpm of <whatever>. One last thing (it's an argument covering a lot of areas, heh), he's also saying that SuSE is 'meager' in its support of applications. He says Debian supports 8000 apps to SuSE's 2000...is this true also? He said 8000 are on the Debian CD's, I argued, that though there's may not be 8000 on the SuSE CD's/DVD's, that doesn't mean the apps won't work in SuSE, that he's just using a poor argument to say how Debian is 'better' overall (I personally don't think any one distro of Linux is 'better' or 'worse' than another, because it's *all* Linux, but this guys started to put down SuSE with a lot of unfounded garbage and I stepped up to defend the 'unfounded' part, not jusy SuSE). So...am I really way off base and throwing mud in my own face with my arguments against this guy? Opinions anyone?
I stay away from these people...they start getting too fanatical or religious for my tastes! (fundamentalists...scary people, any way they come) If you (they) are that concerned with this sort of stuff....get out of the house and get a life!!!
John - -- A butterfly is: Pretty,soft,harmless...and useless, just like M$N. My Penguin and my Gecko eat butterflies. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE+zOGJH5oDXyLKXKQRAk4CAJ0SBmPhxaMmMNkUl0P0PMcaQJkYWQCgpBs5 QRcwVoeZUERlqNbQ+ewZKPg= =aOjK -----END PGP SIGNATURE-----
On Thu, May 22, 2003 at 09:41:05AM -0500, yonaton@tds.net wrote:
Hi ya gang,
I'm in a kinda heated discussion with someone in another NG about the MySQL vulnerability. He's saying that up to and including the version in SuSE 8.2 (3.23.55 -14) is still the vulnerable version(s). He's put up some URL's that show it's only a *candidate* (at least that's how I read it), but not fully acknowledged yet as 'vulnerable'. So if anyone here knows better, *is* the version in 8.2 vulnerable?
Probably. I don't have a definitive answer.
Also, he's saying that the 'kernel vulnerability' in 2.4.20 will affect *all* linux distros that use it. I say that by each distro doing it's own 'patching' of kernels doesn't necessarily mean it's 'vulnerable' in *every* distro. I'm probably and will easily admit it, but I figured I'd find out from other sources (you guys) first, since I don't wqant to take the word of one person only...him. My argument is, that since I've not seen or heard of either of these vulnerabilities in SuSE 8.2, and that if they *were* affecting 8.2, SuSE is *very fast* to make the announcements along with workarounds and/or a patch or updated rpm of <whatever>.
Which kernel vulnerability? This one? http://lists2.suse.com/archive/suse-security-announce/2003-Mar/0011.html If it is, you'll see that 8.2 isn't vulnerable. Some distros may have patched 2.4.20 to fix the vulnerability. Some may have added their own patch for something else, and fixed it by accident (although this is less likely).
One last thing (it's an argument covering a lot of areas, heh), he's also saying that SuSE is 'meager' in its support of applications. He says Debian supports 8000 apps to SuSE's 2000...is this true also? He said 8000 are on the Debian CD's, I argued, that though there's may not be 8000 on the SuSE CD's/DVD's, that doesn't mean the apps won't work in SuSE, that he's just using a poor argument to say how Debian is 'better' overall (I personally don't think any one distro of Linux is 'better' or 'worse' than another, because it's *all* Linux, but this guys started to put down SuSE with a lot of unfounded garbage and I stepped up to defend the 'unfounded' part, not jusy SuSE).
Number of applications is a pointless argument. If it works on Debian, it'll probably work on SuSE; if not, then a bit of tinkering will probably make it work. SuSE is very good in terms of the number of apps distributed. Anyway, what do you call an 'application'? You can massage figures to tell you anything you want.
So...am I really way off base and throwing mud in my own face with my arguments against this guy?
Possibly. Possibly not
Opinions anyone?
Don't bother. He's obviously a Debian evangelist. You're not going to change his mind. Let him use Debian. At least he's not using Windows. You're happy with what you're using (I hope). Keep using it. Don't waste your time arguing; do something more productive. On that note... -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 22 May 2003 10:02, Dave Smith wrote: <snip>
Also, he's saying that the 'kernel vulnerability' in 2.4.20 will affect *all* linux distros that use it. I say that by each distro doing it's own 'patching' of kernels doesn't necessarily mean it's 'vulnerable' in *every* distro. I'm probably and will easily admit it, but I figured I'd find out from other sources (you guys) first, since I don't wqant to take the word of one person only...him. My argument is, that since I've not seen or heard of either of these vulnerabilities in SuSE 8.2, and that if they *were* affecting 8.2, SuSE is *very fast* to make the announcements along with workarounds and/or a patch or updated rpm of <whatever>.
Which kernel vulnerability? This one?
http://lists2.suse.com/archive/suse-security-announce/2003-Mar/0011.html
If it is, you'll see that 8.2 isn't vulnerable.
According to this URL he posted, there's a new(?) kernel vulnerability. I just haven't heard nor read *anything* other than the URL he gave about it. Here-> http://www.secunia.com/advisories/8786 So it's not the one in the URL you gave. <snip>
One last thing (it's an argument covering a lot of areas, heh), he's also saying that SuSE is 'meager' in its support of applications. He says Debian supports 8000 apps to SuSE's 2000...is this true also? He said 8000 are on the Debian CD's, I argued, that though there's may not be 8000 on the SuSE CD's/DVD's, that doesn't mean the apps won't work in SuSE, that he's just using a poor argument to say how Debian is 'better' overall (I personally don't think any one distro of Linux is 'better' or 'worse' than another, because it's *all* Linux, but this guys started to put down SuSE with a lot of unfounded garbage and I stepped up to defend the 'unfounded' part, not jusy SuSE).
Number of applications is a pointless argument. If it works on Debian, it'll probably work on SuSE; if not, then a bit of tinkering will probably make it work.
I said the exact same thing, but he's one of these wormy bastards who twists anything he reads into something completely different from the original.
SuSE is very good in terms of the number of apps distributed. Anyway, what do you call an 'application'? You can massage figures to tell you anything you want.
So...am I really way off base and throwing mud in my own face with my arguments against this guy?
Possibly. Possibly not
Opinions anyone?
Don't bother. He's obviously a Debian evangelist. You're not going to change his mind. Let him use Debian. At least he's not using Windows.
He 'supposedly' uses SuSE also(?), 8.1 I think he said, but it's just the *way* he's saying things that makes me think (even from the start) that he's lyin' out his butt.
You're happy with what you're using (I hope). Keep using it. Don't waste your time arguing; do something more productive.
Bet your butt I'm happy with SuSE! Thing is, it's not an argument about which distro is 'better' or not, it's the fact he just came out of no where when someone asked some questions about SuSE, saying it's less secure than others, less can be done on it, doesn't come with much to offer (like apps), etc, things like that. I felt because he was just talkin' BS, I'd put some facts into the matter from first-hand experience with SuSE as my only OS since 7.3, and he just kept coming back trying to 'prove' I was either lying, didn't know enough about linux to be saying each distro does 'tweaks' and things to the kernel and thus one distro may not have the vulnerability others may have, or just was too stupid to know what I was saying at all.
David Smith Work Email: Dave.Smith@st.com
John - -- A butterfly is: Pretty,soft,harmless...and useless, just like M$N. My Penguin and my Gecko eat butterflies. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+zY0gH5oDXyLKXKQRAmjxAKCRXWHn8uMJXACuLsXJgSb4mFPtdwCfTzin QO78ydWHLqFiAtwNQh0nMNE= =y+db -----END PGP SIGNATURE-----
Hi, Am Donnerstag, 22. Mai 2003 16:41 schrieb John:
I'm in a kinda heated discussion with someone in another NG about the MySQL vulnerability. He's saying that up to and including the version in SuSE 8.2 (3.23.55 -14) is still the vulnerable version(s). He's put up some URL's that show it's only a *candidate* (at least that's how I read it), but not fully acknowledged yet as 'vulnerable'. So if anyone here knows better, *is* the version in 8.2 vulnerable?
I don't know anything about it, but Lenz (cc'ed) will be able to tell ... Greetings from Bremen hartmut
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Thu, 22 May 2003, Hartmut Meyer wrote:
Am Donnerstag, 22. Mai 2003 16:41 schrieb John:
I'm in a kinda heated discussion with someone in another NG about the MySQL vulnerability. He's saying that up to and including the version in SuSE 8.2 (3.23.55 -14) is still the vulnerable version(s). He's put up some URL's that show it's only a *candidate* (at least that's how I read it), but not fully acknowledged yet as 'vulnerable'. So if anyone here knows better, *is* the version in 8.2 vulnerable?
I don't know anything about it, but Lenz (cc'ed) will be able to tell ...
Can you elaborate on "*the* MySQL vulnerability"? Which one? Would you
mind mentioning the URLs?
I'm not aware of an open issue - 3.23.55 fixed the security holes that
were discovered by Stefan Esser from e-Matters.
In the future, we'd appreciate if you could send questions related to
MySQL security to security@mysql.com - thanks in advance!
Bye,
LenZ
- --
- ------------------------------------------------------------------
Lenz Grimmer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 22 May 2003 15:15, Lenz Grimmer wrote: <snip>
Can you elaborate on "*the* MySQL vulnerability"? Which one? Would you mind mentioning the URLs?
Yes, I'm sorry. I realized a good while *after* my post that I should have given the URL he posted. Here it is-> http://bugs.mysql.com/bug.php?id=122
I'm not aware of an open issue - 3.23.55 fixed the security holes that were discovered by Stefan Esser from e-Matters.
In the future, we'd appreciate if you could send questions related to MySQL security to security@mysql.com - thanks in advance!
I'll do it, but this wasn't a question from *me*, I was trying to show this guy that the version in SuSE 8.2 *wasn't* affected. He was trying to prove his point by showing this URL-> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0150 I tried to tell him that it was only a *candidate* for the possibility of being a full blown vulnerability...just as it says at the top of that site, but he keeps saying it's the real thing, even after I asked him to show me some other cite saying it's a vulnerability *besides* the URL above.
Bye, LenZ
John - -- A butterfly is: Pretty,soft,harmless...and useless, just like M$N. My Penguin and my Gecko eat butterflies. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+zY86H5oDXyLKXKQRAv7FAJ9Nq1659Csm9itzgDo+zSUvSoaY2ACfdPNc 7cPc61E8IxUHwrTZhswmtts= =Yn6D -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, sorry for the late reply. On Thu, 22 May 2003, John wrote:
Can you elaborate on "*the* MySQL vulnerability"? Which one? Would you mind mentioning the URLs?
Yes, I'm sorry. I realized a good while *after* my post that I should have given the URL he posted. Here it is-> http://bugs.mysql.com/bug.php?id=122
OK, that one is not fixed in the SuSE MySQL package - it was fixed in 3.23.56. However, this is not a remotely exploitable bug, you need to have a valid MySQL user account. But still, it's of course nasty to be able to crash MySQL with a valid query.
I'll do it, but this wasn't a question from *me*, I was trying to show this guy that the version in SuSE 8.2 *wasn't* affected. He was trying to prove his point by showing this URL-> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0150
I tried to tell him that it was only a *candidate* for the possibility of being a full blown vulnerability...just as it says at the top of that site, but he keeps saying it's the real thing, even after I asked him to show me some other cite saying it's a vulnerability *besides* the URL above.
This one, too, has been fixed in the meanwhile.
Bye,
LenZ
- --
- ------------------------------------------------------------------
Lenz Grimmer
participants (5)
-
Dave Smith -
Hartmut Meyer -
John -
Lenz Grimmer -
Oskar Teran