[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#130876: Very definitely a bug, security

Lazarus Long <lazarus@overdue.ddts.net> writes:

>  > severity 130876 wishlist
>  > thanks
>  > 
>  >  This is not a bug.  
> This is definitely a security risk.

It helps auditing a large farm of Debian machines.

For example, there is currently no reliable way to remotely tell if a
box running OpenSSH 1.2.3 is using an up-to-date Debian version with
the security fix.  An attacker will simply try all his exploits and
move to the next machine if they are unsuccesful.  The good guys can
do that, too, but they cannot be sure if they just got the offsets
wrong or something like that, so that the machine is vulnerable
despite the attack was not successful.

Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Reply to: