[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux 2.0.36 in slink?

On Thu, Dec 17, 1998 at 09:02:52PM -0800, Oscar Levi wrote:
> > You seem to be confusing a bug that crashes the kernel and a security hole
> > that may crash the kernel, or allow access to private info, or anything
> > else. A security hole can be reproduced at will by an attacker, without a
> > great deal of difficulty.
> 
> Is it correct that this security hole requires login access to the
> computer?  If an attack can be perpetrated from anywhere on the
> internet to an internet connected computer, then it is clear that the
> hole in 2.0.35 has a high probability of exploitation since a large
> percentage GNU/Linux systems are Internet connected.  If the attack
> requires access to a user account on the machine, then the exploit is
> overrated.  It is all in the interpretation of 'great deal of
> difficulty.'

The 2.0.36 kernel fixes DoS situations, yes this means anywhere on the
Internet usually.

Even root exploits requiring logins are severely serious--you don't run
an ISP do you?  If they can login and root your machine, you're screwed.


I think it would be foolish and irresponsible to ship with either type of
known bug present and ignored.


> > Yes. It's worth a delay to fix any security hole. Debian must not ship with
> > known security holes. Quality is our priority, we have never sacrificed
> > quality for marketing concerns.
> 
> Let's let the security issue pass.  It isn't important.  I agree we
> should upgrade.  Now, at this point is it worth shipping slink?  By
> the time we get around to gel'ing it, the packages will be out of
> date.  Some already are.  

LET THE SECURITY ISSUE PASS?!?  This would be a really, really bad idea. 
2.0.35 has remote DoS exploits possible!  Either the fixes need to be
backported or we need up upgrade.  Slink is going to need to be postponed
until January at least as it is, the extra time to make sure a new stable
kernel works is probably not going to add any delay to slink, and if it
does the delay will be insignificant.


> Software release is time-critical.  No matter how hard you beat the
> quality drum, the distribution that can ship often will show the best.
> RedHat has shipped several buggy distributions in the 5.x series.  I
> just tried to install 5.2 and found a nest of problems.  Unpleasant as
> it is, users can only choose a distribution that ships.  Hamm is out
> of the running and the competition is fierce.  They shiped with bugs
> that requires 30MB of updates.  But they shipped...and people use it.

We're better than that aren't we?  Isn't that why most of us are Debian
users and many became Debian developers--because Redhat's rushed and
buggy releases are frustrating at the very least and because we felt we
could do better than that?

-- 
Sig du jour!
Reply to: