[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release Notes: Anyone working on upgrade-related release notes?

On Sat, Apr 02, 2005 at 09:12:55PM +0200, Frederik Dannemare wrote:
> No need to wait for being "allowed" in. There's been plenty of remote 
> vuln. in many popular services the last couple of years. Many have 
> likely found their way in to the system through one of those, and then 
> further been able to get root via some local kernel vuln.

You misunderstood me, I didn't say that people might have Internet-facing
boxes with _no_ security updates. I said that a woody system installed with
boot-floppies and with _no_ kernel updates whatsoever (but with proper
security updated for other services) is not necessarily easily rooted on
the Internet. Believe me, I've had some of those in the past and I'm pretty
sure there are people still running those. 

And I didn't say those people were running "popular" services either. 
Please bear in mind that the default woody installation left a few open
services by default, IIRC these included exim (see #170451, fixed for
sarge), ssh, portmap, rpc.statd and some of inetd's "small" servers
(discard, daytime and time see #81118, #261906 and #237535 also fixed for
sarge). Better than the potato (and previous releases) default
installations (which included telnetd and rpc.mountd too).  There have been
some remote exploits against both exim and ssh in the the past. But if a
woody system is kept up to date with security.debian.org it should be not
_that_ easy to break into even if the kernel is vulnerable.

If you want to prove me otherwise I can setup a fully patched default
installation of woody but with a vulnerable kernel in a production honeypot
environment and provide you with its IP address.



Attachment: signature.asc
Description: Digital signature

Reply to: