Slashdot Mirror
Data Corrupting ext3 Bug In Latest Linux 2.4.20
An anonymous reader writes "Andrew Morton alerted readers of the Linux Kernel mailing list today that ext3 in the 2.4.20 kernel has a new bug that can easily cause file data corruption at unmount time. The bug will only affect people using ext3 in "data=journal" mode, which fortunately is not the default... Full details can be read on KernelTrap."
Even more remarkable is the fact that these stories always somehow fail to make the front page, while every 2-cent obscure vulnerability discovered in Internet Explorer and IIS are shoved front and center.
Slashdot needs a bit more balance in the way it covers things. If this had been a problem with the goddamn filesystem (!) in Windows you'd be seeing 900 posts to the tone of "Hah! M$ sucks!!!1!!".
Sad.
Really though, CERT advisories are inadequate tools for measuring vulnerability. Assuming Linux+apache+ssh, etc., all had equal number of bugs, the number of CERT advisories would be dramatically higher for Linux as opposed to Windows, since Microsoft forces people to hush up when a hole is found, and in the case of Linux, the bugs get reported several times, and the same hole in several distros likely becomes different bugs.
Hence, the article draws a similar conclusion to something like "Our army suffered more casualties than our opponent's army; hence, our opponent is the victor."
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
Klez and ILOVEYOU all have fixes. A lazy person who doesn't update and patch will have an unsecure system regardless of if it runs Windows, Linux, BSD, Mac OS X, or ANYTHING.
I'm not going to get into pro-some-OS flame war but I'd like to add one thing that you might have missed in the argument.
The OS that was infected with Klez and ILOVEYOU is a production system.
While the kernel which has fs corruption bug is supposed to be used by non-production, testing environment, and for those you like to use bleeding edge release.
I just got a similar report of a bug from a Accounting software vendor alerting us to a bug in Windows.
Apparently in W2k SP1 MS broke something that caused data not to be writen from disk cache to the actual disk, which caused data corruption. This was only fixed in SP3.
I just find it interesting that this bug was not common knowledge as it is not really a "security" issue so they can't hide behind that smoke screen.
Um, maybe because regular non-developer type people don't run out and grab the latest kernel that just came out and compile it themselve for the hell of it. Instead, they run whatever version comes with their distro.
/.
Anyone running the latest bleeding edge stuff keeps up with the LKML anyway, and KNOWS what is going on, way before it would hit a news site like
The sky is falling! Sheesh...
When 2.4.20 was released, the news made it to the front page. Wouldn't it be appropriate to notify the same people who were notified that this new kernel version was released and ready for download?
I suspect that there are many Slashdot readers who will compile the latest kernel, but who do not read the developers section.
I wouldn't consider 2.4.20 "bleeding edge", as it is the latest kernel in the current stable series, and as such is supposed to be safe for running. "Bleeding edge" would be the latest 2.5 kernel or possibly prerelease kernels in the 2.4 series.
Again, this deserves to be on the front page.
"While the kernel which has fs corruption bug is supposed to be used by non-production, testing environment, and for those you like to use bleeding edge release."
Bzzt. 2.4 is the current stable Linux branch, and 2.4.20 is the latest stable version of that branch.
While this kind of thing is not uncommon in the development branch, it's awful to see in a point release of the stable branch.