New Linux security holes publised. - Microsoft Windows

This is a discussion on New Linux security holes publised. - Microsoft Windows ; Wow, what a secure OS. So much for the secure OS and the "cannot be hacked" myth. Linux advocates are full of ****. http://www.linuxsecurity.com/advisories/index.html 12/12/2003 17:21 - Slackware: lftp Code parsing vunlerability According to the NEWS file, this includes "security ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: New Linux security holes publised.

  1. New Linux security holes publised.


    Wow, what a secure OS.
    So much for the secure OS and the "cannot be hacked" myth.

    Linux advocates are full of ****.



    http://www.linuxsecurity.com/advisories/index.html


    12/12/2003 17:21 - Slackware: lftp Code parsing vunlerability
    According to the NEWS file, this includes "security fixes in html
    parsing code" which could cause a compromise when using lftp to access
    an untrusted site.

    12/12/2003 11:14 - Mandrake: net-snmp Improper access vulnerability
    A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an
    existing user/community to gain access to data in MIB objects that were
    explicitly excluded from their view.

    12/12/2003 3:22 - Gentoo: app-crypt/gnupg Multiple vulnerabilities
    Two flaws have been found in GnuPG 1.2.3 including a format string
    vulnerability and the compromise of ElGamal signing keys.

    12/11/2003 19:05 - Slackware: cvs Unauthorized access vulnerability
    A security problem which could allow an attacker to create directories
    and possibly files outside of the CVS repository has been fixed with the
    release of cvs-1.11.10.

    12/11/2003 9:48 - Fedora: GnuPG Signing key vulnerability
    Phong Nguyen identified a severe bug in the way GnuPG creates and uses
    ElGamal keys, when those keys are used both to sign and encrypt data.
    This vulnerability can be used to trivially recover the private key.

    12/11/2003 9:47 - Red Hat: GnuPG Signing key vulnerability
    Phong Nguyen identified a severe bug in the way GnuPG creates and uses
    ElGamal keys, when those keys are used both to sign and encrypt data.
    This vulnerability can be used to trivially recover the private key.

    12/11/2003 9:42 - Mandrake: etherial Multiple vulnerabilities
    A number of vulnerabilities were discovered in ethereal that, if
    exploited, could be used to make ethereal crash or run arbitrary code by
    injecting malicious malformed packets onto the wire or by convincing
    someone to read a malformed packet trace file.

    12/11/2003 9:40 - Mandrake: cvs Unauthorized access vulnerability
    (correction)
    The previous updates had an incorrect temporary directory hard-coded in
    the cvs binary for 9.1 and 9.2. This update corrects the problem.

    12/11/2003 9:25 - Gentoo: cvs Unauthorized access vulnerability
    This release fixes a security issue with no known exploits that could
    cause previous versions of CVS to attempt to create files and
    directories in the filesystem root.

    12/9/2003 13:27 - Conectiva: GnuPG signing key vulnerability
    Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the way
    GnuPG deals with type 20 ElGamal sign+encrypt keys which allows an
    attacker to recover the corresponding private key from a signature.

    12/8/2003 23:45 - Mandrake: screen Buffer overflow vulnerability
    A vulnerability was discovered and fixed in screen by Timo Sirainen who
    found an exploitable buffer overflow that allowed privilege escalation.

    12/8/2003 23:44 - Mandrake: cvs Unauthorized access vulnerability
    A vulnerability was discovered in the CVS server < 1.11.10 where a
    malformed module request could cause the CVS server to attempt to create
    directories and possibly files at the root of the filesystem holding the
    CVS repository.

    12/8/2003 11:06 - Immunix: rsync Heap overflow vulnerability
    The rsync team has alerted us to a remotely exploitable heap overflow
    that is being actively exploited. As the overflow is on the heap,
    StackGuard offers no protection to this vulnerability.

    12/5/2003 17:49 - Turbolinux: glibc and rsync Multiple vulnerabilities
    (1) glibc -> Multiple vulnerabilities in glibc
    (2) rsync -> Heap overflow

    12/5/2003 16:25 - Conectiva: kernel Privilege escalation vulnerability
    A vulnerability in the kernel do_brk() function allows local attackers
    to obtain root privileges. Exploits for this vulnerability have already
    been published.


  2. Another windows "security" dimwit

    Security News wrote:

    >
    > Wow, what a secure OS.
    > So much for the secure OS and the "cannot be hacked" myth.
    >
    > Linux advocates are full of ****.
    >


    You can read? Why didn't you do it before posting this list?
    --
    Don't abandon hope: your Tom Mix decoder ring arrives tomorrow


  3. Re: New Linux security holes publised.

    "Security News" wrote in message
    news:g9kltvk01he86b9dmongakehntied0ddp3@4ax.com...
    >
    > Wow, what a secure OS.
    > So much for the secure OS and the "cannot be hacked" myth.
    >
    > Linux advocates are full of ****.
    >
    >
    >
    > http://www.linuxsecurity.com/advisories/index.html
    >
    >
    > 12/12/2003 17:21 - Slackware: lftp Code parsing vunlerability
    > According to the NEWS file, this includes "security fixes in html
    > parsing code" which could cause a compromise when using lftp to access
    > an untrusted site.
    >
    > 12/12/2003 11:14 - Mandrake: net-snmp Improper access vulnerability
    > A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an
    > existing user/community to gain access to data in MIB objects that were
    > explicitly excluded from their view.
    >
    > 12/12/2003 3:22 - Gentoo: app-crypt/gnupg Multiple vulnerabilities
    > Two flaws have been found in GnuPG 1.2.3 including a format string
    > vulnerability and the compromise of ElGamal signing keys.
    >
    > 12/11/2003 19:05 - Slackware: cvs Unauthorized access vulnerability
    > A security problem which could allow an attacker to create directories
    > and possibly files outside of the CVS repository has been fixed with the
    > release of cvs-1.11.10.
    >
    > 12/11/2003 9:48 - Fedora: GnuPG Signing key vulnerability
    > Phong Nguyen identified a severe bug in the way GnuPG creates and uses
    > ElGamal keys, when those keys are used both to sign and encrypt data.
    > This vulnerability can be used to trivially recover the private key.
    >
    > 12/11/2003 9:47 - Red Hat: GnuPG Signing key vulnerability
    > Phong Nguyen identified a severe bug in the way GnuPG creates and uses
    > ElGamal keys, when those keys are used both to sign and encrypt data.
    > This vulnerability can be used to trivially recover the private key.
    >
    > 12/11/2003 9:42 - Mandrake: etherial Multiple vulnerabilities
    > A number of vulnerabilities were discovered in ethereal that, if
    > exploited, could be used to make ethereal crash or run arbitrary code by
    > injecting malicious malformed packets onto the wire or by convincing
    > someone to read a malformed packet trace file.
    >
    > 12/11/2003 9:40 - Mandrake: cvs Unauthorized access vulnerability
    > (correction)
    > The previous updates had an incorrect temporary directory hard-coded in
    > the cvs binary for 9.1 and 9.2. This update corrects the problem.
    >
    > 12/11/2003 9:25 - Gentoo: cvs Unauthorized access vulnerability
    > This release fixes a security issue with no known exploits that could
    > cause previous versions of CVS to attempt to create files and
    > directories in the filesystem root.
    >
    > 12/9/2003 13:27 - Conectiva: GnuPG signing key vulnerability
    > Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the way
    > GnuPG deals with type 20 ElGamal sign+encrypt keys which allows an
    > attacker to recover the corresponding private key from a signature.
    >
    > 12/8/2003 23:45 - Mandrake: screen Buffer overflow vulnerability
    > A vulnerability was discovered and fixed in screen by Timo Sirainen who
    > found an exploitable buffer overflow that allowed privilege escalation.
    >
    > 12/8/2003 23:44 - Mandrake: cvs Unauthorized access vulnerability
    > A vulnerability was discovered in the CVS server < 1.11.10 where a
    > malformed module request could cause the CVS server to attempt to create
    > directories and possibly files at the root of the filesystem holding the
    > CVS repository.
    >
    > 12/8/2003 11:06 - Immunix: rsync Heap overflow vulnerability
    > The rsync team has alerted us to a remotely exploitable heap overflow
    > that is being actively exploited. As the overflow is on the heap,
    > StackGuard offers no protection to this vulnerability.
    >
    > 12/5/2003 17:49 - Turbolinux: glibc and rsync Multiple vulnerabilities
    > (1) glibc -> Multiple vulnerabilities in glibc
    > (2) rsync -> Heap overflow
    >
    > 12/5/2003 16:25 - Conectiva: kernel Privilege escalation vulnerability
    > A vulnerability in the kernel do_brk() function allows local attackers
    > to obtain root privileges. Exploits for this vulnerability have already
    > been published.


    linux is a hobbyist operating system, so insignificant that hackers don't
    even waste their time breaking it ... under attack, linux breaks into pieces
    and cries like a little girl.




  4. Re: New Linux security holes publised.

    cola_moderator wrote:


    >
    > linux is a hobbyist operating system, so insignificant that hackers don't
    > even waste their time breaking it ... under attack, linux breaks into
    > pieces and cries like a little girl.


    yawn

  5. Re: New Linux security holes publised.

    cola_moderator wrote:
    >
    > linux is a hobbyist operating system, so insignificant that hackers don't
    > even waste their time breaking it ... under attack, linux breaks into pieces
    > and cries like a little girl.
    >


    Linux is very PROFESSIONAL and stable OS. Actually a very genious system
    indeed.

    And most (if not all) of the the security issues are recovered by
    Linux-developers themselves.

    Improving the security is an on-going and constant process. It need to
    maintained. This is the case for all operating systems; Amiga, Microsoft
    Windows, BSD Unix flavors and Linux etc.

    And even Microsoft.com needs security of Linux some times.
    http://news.netcraft.com/archives/20..._a_point_.html

    The RED Curve is for hobbyists. Do you want to follow it?
    http://news.netcraft.com/archives/we...er_survey.html

    Actually I do not care. I do not even mind what operating system I use
    myself, so long it fits my budget and does the job properly. My current
    choise is Linux. It's even fun to use. Pasta!

    All the best,

    // os moma
    http://www.futuredesktop.org/#distrolist
    -

  6. Re: New Linux security holes publised.

    Security News wrote:

    > Wow, what a secure OS.


    It is.

    > So much for the secure OS and the "cannot be hacked" myth.


    Who the hell claims it can't be hacked? It's significantly more
    difficult to hack than most alternatives, but that's a different story.

    > Linux advocates are full of ****.


    That's a bit of a hyperbole, isn't it? Particularly since no Linux
    advocates claim that Linux cannot be hacked, showing exactly who i full
    of ****.

    > http://www.linuxsecurity.com/advisories/index.html


    The list is extensive, I'll give you that. However, you repeat the same
    vulnerability for all the major distros, which inflates the numbers
    somewhat. I'll rearrange them and remove duplicates:

    > 12/12/2003 17:21 - Slackware: lftp Code parsing vunlerability
    > According to the NEWS file, this includes "security fixes in html
    > parsing code" which could cause a compromise when using lftp to access
    > an untrusted site.


    A text-only FTP program. How many people actually use this? Won't
    people who use console apps typically be the ones who also keep their
    apps updated? Finally, there is no working exploit, so I'd classify
    this as a minor risk.

    > 12/12/2003 11:14 - Mandrake: net-snmp Improper access vulnerability A
    > vulnerability in Net-SNMP versions prior to 5.0.9 could allow an
    > existing user/community to gain access to data in MIB objects that
    > were explicitly excluded from their view.


    Some obscure network managing tool may allow existing uses to access
    data that was hidden from them? I'd like you to explain how you can
    "hack" someone with this exploit. Particularly regular home users.

    > 12/12/2003 3:22 - Gentoo: app-crypt/gnupg Multiple vulnerabilities Two
    > flaws have been found in GnuPG 1.2.3 including a format string
    > vulnerability and the compromise of ElGamal signing keys.


    Let's examine this one. The ElGamal key aren't safe. They're not
    commonly used, so the issue is limited. The second vulnerability would
    in the worst case allow a malicious keyserver to execute arbitrary code
    on your computer. Perhaps one shouldn't be connecting to such a
    keyserver, if it's *that* untrusted ...

    > 12/11/2003 9:25 - Gentoo: cvs Unauthorized access vulnerability This
    > release fixes a security issue with no known exploits that could cause
    > previous versions of CVS to attempt to create files and directories in
    > the filesystem root.


    CVS is mostly used by developers, so that limits the problem a bit.
    There's also no known exploit.

    > 12/11/2003 9:42 - Mandrake: etherial Multiple vulnerabilities A number
    > of vulnerabilities were discovered in ethereal that, if exploited,
    > could be used to make ethereal crash or run arbitrary code by
    > injecting malicious malformed packets onto the wire or by convincing
    > someone to read a malformed packet trace file.


    Talk about hard to exploit! You first have to find someone who runs a
    network analyzer, and then convince them to read a carefully crafted
    trace file. Good luck!

    > 12/8/2003 23:45 - Mandrake: screen Buffer overflow vulnerability A
    > vulnerability was discovered and fixed in screen by Timo Sirainen who
    > found an exploitable buffer overflow that allowed privilege
    > escalation.


    That's about the worst one yet, I'll give you that. It's also fixed,
    before the entire Internet was taken down by it.

    > 12/8/2003 11:06 - Immunix: rsync Heap overflow vulnerability The rsync
    > team has alerted us to a remotely exploitable heap overflow that is
    > being actively exploited. As the overflow is on the heap, StackGuard
    > offers no protection to this vulnerability.


    This is for people who run rsync servers. Had this been for web
    servers, FTP servers or mail servers, it might have been worse. Only
    people who know what they're doing should be running rsync servers, so
    the problem is probably limited. It's not like this runs as default or
    anything ...

    > 12/5/2003 16:25 - Conectiva: kernel Privilege escalation vulnerability
    > A vulnerability in the kernel do_brk() function allows local attackers
    > to obtain root privileges. Exploits for this vulnerability have
    > already been published.


    Here's the only really noticeable problem. It's a local exploit, but
    still serious. It's primary use would be in conjunction with some
    server vulnerability, like the rsync bug.

    All in all, you've shown little that was of any consequence to average
    desktop users who don't run servers, and only have trusted users.

    In other words, go ahead r00t me!

    [Followup-To: comp.os.linux.advocacy]

    --
    PeKaJe

    Don't I know you?

  7. Re: New Linux security holes publised.

    Security News wrote:

    >
    > Wow, what a secure OS.
    > So much for the secure OS and the "cannot be hacked" myth.
    >


    For security, I'll take Linux over Windows any day. Windows (all makes) has
    more security holes than swiss cheese.

    > Linux advocates are full of ****.


    Don't shoot the messenger; even Bill Gates himself has declared Windows a
    security disaster, and without insolvency!


    --
    ... the information surrounding the release of a patch and the patch
    itself actually increases the risk associated with vulnerabilities.

  8. Re: New Linux security holes publised.

    osmoma wrote:

    > cola_moderator wrote:
    >>
    >>
    >>

    >


    > All the best,
    >
    > // os moma
    > http://www.futuredesktop.org/#distrolist
    > -


    Do you really think that infantile retards such as this win****_moderator
    needs a civilized answer? What makes you think that their worthless kind
    has the capacity to process information and make sense of it?


    --
    ... the information surrounding the release of a patch and the patch
    itself actually increases the risk associated with vulnerabilities.

  9. Re: New Linux security holes publised.

    Security News wrote:

    >
    > Wow, what a secure OS.
    > So much for the secure OS and the "cannot be hacked" myth.
    >
    > Linux advocates are full of ****.
    >
    > http://www.linuxsecurity.com/advisories/index.html
    >



    Yeah, and I'm going to dumb the **** on you. Now shut the **** up.

+ Reply to Thread