Re: root compromise on debian woody

To: debian-user@lists.debian.org
Subject: Re: root compromise on debian woody
From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
Date: Thu, 26 May 2005 22:27:39 -0400
Message-id: <[🔎] 20050527022739.GG16064@miami.familiasanchez.net>
Mail-followup-to: "Roberto C. Sanchez" <roberto@familiasanchez.net>, debian-user@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.3.96.1050526183629.18444A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] 8752f5960505261646fe5e3c5@mail.gmail.com> <[🔎] Pine.LNX.3.96.1050526183629.18444A-100000@Maggie.Linux-Consulting.com>

On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote:
> 
> > > CAN-2005-1263 [Linux kernel ELF core dump privilege escalation]
> > >         - kernel-source-2.6.11 2.6.11 2.6.11-4
> > >         - kernel-source-2.6.8 2.6.8-16
> > >         - kernel-source-2.4.27 2.4.27-10
> 
> always use the latest kernel ... from kernel.org ...
> 
> and similarly with other important binaries from their
> respective originating site
> 	mta, apache, kernel, glib, make/gcc, bash, endless list
> 

Sorry, but that is horrible advice.  For every app you get directly from
upstream, you become directly responsible for supporting security
issues.  I understand that even if you use the Debian packages, you are
still ultimately responsible.  Not only that, but the Debian Security
Team does an excellent job given the resources and situation.  Woody has
versions of software that were no longer support upstream when Woody
shipped.  That makes security support really difficult, but that doesn't
mean that someone should run out and install everything from source.
That sort of defeatst the purpose of a distro.

As far as the kernel, even Linus Torvalds himself, IIRC, has stated that
running kernels from kernel.org is not a good idea unless, 1) you are
testing the kernel and/or developing on it, or 2) you are absolutely
100% certain that you know exactly what you are doing and the
ramifications of that.  Don't forget, that on many occasions, the
release versions of the kernel have security vulnerabilites in them that
are only fixed in daily snapshots and won't become officially available
until the next release.

Add to that the fact that the kernel developers *do not* provide proper
security support.  That is, if kernel x.y.z runs perfectly for you and
CAN-xyzw comes out. they will fix it in the next release, which may or
may not work for you.  That leaves with three choices: 1) continue to
run vulnerable kernel, 2) upgrade to new kernel and pray it doesn't
break, 3) backport the security fix yourself.  It's a lot of work either
way, unless that is your full time job.  That is why the Debian Security
Team (and the respective teams for the other distros) spend lots of time
backporting kernel security fixes with minimal disturbance to the rest
of the kernel code.

-Roberto
-- 
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr

Attachment: pgpHOVKyTdNa4.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: root compromise on debian woody
  - From: Robert Vangel <vangelr@rfgt.net>
- Re: root compromise on debian woody
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>

References:
- Re: root compromise on debian woody
  - From: Selva Nair <selva.nair@gmail.com>
- Re: root compromise on debian woody
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>

Prev by Date: Re: how to use the LANGUAGE environment variable
Next by Date: Thanks to S.O'Rear, R.Sanchez, P.Condon, G.L.Fairless, K.vanWyk, and Laurabelle!
Previous by thread: Re: root compromise on debian woody
Next by thread: Re: root compromise on debian woody
Index(es):
- Date
- Thread