[PLUG] Joe Jobbed

Ronald Chmara ron at Opus1.COM
Tue Oct 9 03:20:21 UTC 2007


On Oct 8, 2007, at 11:06 AM, Aaron Burt wrote:
> On Fri, Oct 05, 2007 at 08:11:07PM -0700, Ronald Chmara wrote:
>> I blame lazy distros, who don't keep on top of security (Cent,
>> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).
> What makes you say that?

Because every vendor-driven package manager I've used lately is 1-24  
months behind the latest security and stability fixes for some (or in  
a few cases, many) of its packages. I understand the whole idea of  
"stable" or "tested" (QA'd, certified, whatever) packages, but  
somehow, I tend to think that "this is so stable that it reliably  
lets attackers exploit it every time, and we won't fix it right now  
in case somebody *depends* on that feature!".... is not exactly a  
desirable condition.

>> I blame lazy admins, who think that uptime is more important than
>> security upgrades (if you are running a machine a year old, maybe you
>> *deserve* to be rootkit'ed).
> Kernel vulns are rare.  Remotely-exploitable ones far more so.

<http://www.google.com/custom?q=linux+kernel&sa=Google+Search&cof=S% 
3Ahttp%3A%2F%2Fcve.mitre.org%3BGL%3A0%3BAH%3Aleft%3BLC%3A%23009%3BL% 
3Ahttp%3A%2F%2Fcve.mitre.org%2Fimages%2Fgoogle_cvelogo.jpg%3BAWFID% 
3Adf91761661c84389%3B&domains=cve.mitre.org&sitesearch=cve.mitre.org>

This year so far, I counted 6 remote kernel vulns, 14 local kernel  
vulns.

I dunno what the metric for "rare" is, but if we don't find any more  
remote vulns this year, that's an average of a new remotely  
exploitable kernel  vuln every 2 months, or, since we're in october,  
that's an average of two new kernel vulns (20/10) found every month.

>> I blame users (and admins) who don't understand that a disturbingly
>> large number of "web applications" are complete and total rubbish
>> (Joomla, WordPress, phpBB, phpNuke, Plesk, phpMyAdmin, cPanel... the
>> list is insane) when it comes to security.
> PHP does make it easy for newbs to write web-apps quickly, which leads
> to big security holes.  But the big-name apps are getting much better.

For this (getting better), I am thankful. Pity that their names often  
had to get dragged through the mud first, but that's life.

>> So, here's a quick survey:
>> Who has a web server that was running PHP 5.2.4, openSSL 0.9.8d,
>> Apache 2.2.6, and a 2.6.22.9 kernel *before* I sent this message?
> A lot of mine is older than that.  And patched.
> Do you not believe that it's possible to patch vulns in older  
> versions?

Oh, it's *quite* possible, I could put out a  
bind-4.0-12581768179f.rpm package right now, that was built from  
source that's been patched all the way up to bind 9.5 code (without  
bind 9.5 features). Sure, it's misleading, and sure, it leads to  
serious confusion about what version is *actually* being run, and  
sure, without side by side source compares, or a vendor just hoping  
that it's users will "trust them to be current/secure", the end-user  
has no idea if they're running a current version.... but I certainly  
agree, it's *possible*.

I'm not exactly sure it's a *good idea*, though.

But in the spirit of making sure I dole out my beers right, so far, I  
owe Jon Scully for being version complete, Ed Sawiky for dodging the  
bullet by segmenting out (and thus nearly eliminating) the typical  
"problem child" binaries, and if you're actually monitoring the  
source patches, rather than giving a hoot about "version numbers",  
I'll gladly buy you a version of the package beer-0.1a-116987121.rpm  
(an early teaspoon version of beer that was actually patched up to  
being to a full beer).

:)

-Bop




More information about the PLUG mailing list