Hi, On Thursday 15 March 2007 10:28, John Andersen wrote:
On Thursday 15 March 2007, Hartmut Meyer wrote:
On Thursday 15 March 2007 05:43, John Andersen wrote:
On Wednesday 14 March 2007, Hartmut Meyer wrote:
Linux isn't exactly Windows which can be hacked by 12 year olds riding bikes thru your neighborhood.
Even if you are connected to the net 24/7, with no ports or services open you are not any more at risk than with a current distro.
With an Iptables firewall you can even open essential services that you need and be quite safe on line.
Maybe the CIA can hack their way into a machine with no ports open. But the script kiddies can't. And the CIA is not even vaguely interested in me.
I think you are spreading FUD.
Really?
And what about running application (such as web browsers) or services (such as an MTA or ssh) on an old/unsupported version. Your firewall might be as good as it can get. But if you have a need for say the MTA (old/unsupported MTA that is) being reachable from outside or use a web browser (again: old/unsupported) to browse the net (just two examples) what good will the firewall do you?
The kernel isn't the only potential problem and a root exploit not the only potential risk.
Is that FUD?
Has it occurred to you you haven't been able to point out a single flaw related to an older version of Suse linux but are forced instead to trot out fictional flaws in applications as a surrogate for your FUD?
You're right: I didn't point out "a single flaw". But that's not because they don't exist. Rather it's because I don't pay attention and/or memorise such instances. It's not my field of expertise. Are you on the other hand saying that such security relevant problems (in both new and old versions) don't exist? I don't imagine so ... Just for the sake of it, let's have a look at the most recent recommended update as announced on the suse-security-announce mailing list on the 6th of March: --- snip ----- SUSE Security Announcement Package: MozillaFirefox,seamonkey Announcement ID: SUSE-SA:2007:019 Date: Tue, 06 Mar 2007 18:00:00 +0000 Affected Products: SUSE LINUX 9.3 SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 Novell Linux Desktop 9 SUSE SLED 10 SUSE SLES 10 Vulnerability Type: remote code execution Severity (1-10): 6 SUSE Default Package: yes Cross-References: CVE-2006-6077, CVE-2007-0008, CVE-2007-0009 CVE-2007-0775, CVE-2007-0776, CVE-2007-0777 CVE-2007-0778, CVE-2007-0779, CVE-2007-0780 CVE-2007-0800, CVE-2007-0981, CVE-2007-0994 CVE-2007-0995, CVE-2007-0996, CVE-2007-1092 MFSA 2006-72, MFSA 2007-01, MFSA 2007-02 MFSA 2007-03, MFSA 2007-04, MFSA 2007-05 MFSA 2007-06, MFSA 2007-08, MFSA 2007-09 Content of This Advisory: 1) Security Vulnerability Resolved: Mozilla Firefox security release 1.5.0.10 / 2.0.0.2 Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The Mozilla Firefox web browser was updated to security update version 1.5.0.10 on older products and Mozilla Firefox to version 2.0.0.2 on openSUSE 10.2 to fix various security issues. Updates for the Mozilla seamonkey suite before 10.2, Mozilla Suite and Mozilla Thunderbird are still pending. Full details can be found on: http://www.mozilla.org/projects/security/known-vulnerabilities.html - MFSA 2007-01: As part of the Firefox 2.0.0.2 and 1.5.0.10 update releases several bugs were fixed to improve the stability of the browser. Some of these were crashes that showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. These fixes affected the layout engine (CVE-2007-0775), SVG renderer (CVE-2007-0776) and javascript engine (CVE-2007-0777). - MFSA 2007-02: Various enhancements were done to make XSS exploits against websites less effective. These included fixes for invalid trailing characters (CVE-2007-0995), child frame character set inheritance (CVE-2007-0996), password form injection (CVE-2006-6077), and the Adobe Reader universal XSS problem. - MFSA 2007-03/CVE-2007-0778: AAd reported a potential disk cache collision that could be exploited by remote attackers to steal confidential data or execute code. - MFSA 2007-04/CVE-2007-0779: David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hot-spot property so that the visible part of the cursor floated outside the browser content area. - MFSA 2007-05: Manually opening blocked popups could be exploited by remote attackers to allow XSS attacks (CVE-2007-0780) or to execute code in local files (CVE-2007-0800). - MFSA 2007-06: Two buffer overflows were found in the NSS handling of Mozilla. CVE-2007-0008: SSL clients such as Firefox and Thunderbird can suffer a buffer overflow if a malicious server presents a certificate with a public key that is too small to encrypt the entire "Master Secret". Exploiting this overflow appears to be unreliable but possible if the SSLv2 protocol is enabled. CVE-2007-0009: Servers that use NSS for the SSLv2 protocol can be exploited by a client that presents a "Client Master Key" with invalid length values in any of several fields that are used without adequate error checking. This can lead to a buffer overflow that presumably could be exploitable. - MFSA 2007-06/CVE-2007-0981: Michal Zalewski demonstrated that setting location.hostname to a value with embedded null characters can confuse the browsers domain checks. Setting the value triggers a load, but the networking software reads the hostname only up to the null character while other checks for "parent domain" start at the right and so can have a completely different idea of what the current host is. - MFSA 2007-08/CVE-2007-1092: Michal Zalewski reported a memory corruption vulnerability in Firefox 2.0.0.1 involving mixing the onUnload event handler and self-modifying document.write() calls. This flaw was introduced in Firefox 2.0.0.1 and 1.5.0.9 and does not affect earlier versions; it is fixed in Firefox 2.0.0.2 and 1.5.0.10. - MFSA 2007-09/CVE-2007-0994: moz_bug_r_a4 reports that the fix for MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1 introduced a regression that allows scripts from web content to execute arbitrary code by setting the src attribute of an IMG tag to a specially crafted javascript: URI. The same regression also caused javascript: URIs in IMG tags to be executed even if JavaScript execution was disabled in the global preferences. This facet was noted by moz_bug_r_a4 and reported independently by Anbo Motohiko. 2) Solution or Work-Around There is no known workaround, please install the update packages. --- snap ----- Still FUD? Greetings from Stuhr hartmut -- Hartmut Meyer, EMEA NTS Business Development Project Manager SUSE LINUX GmbH, GF: Volker Smid, HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409 Nuernberg T: +49 421 3064385 - M: +49 179 2279480 F: +49 421 3064387 - hartmut.meyer@novell.com ---------------------------------------------------- SUSE® Linux Enterprise 10 - Your Linux is ready http://www.novell.com/linux