FreeBSD Kernel Leak

Pine Digital Security announced a FreeBSD kernel leak, found when auditing a customer. The leak can be exploited to panic the server or elevate privileges. FreeBSD swiftly updated CVS, a security advisory will probably follow. Both the -RELEASE branch and -CURRENT branch are vulnerable.

Re:Does not affect OpenBSD or NetBSD

[CoolVibe]

Troll.

Where in the story posting does it say that involves NetBSD and/or OpenBSD? It states clearly that it's a FreeBSD bug. And one that's already fixed in CVS to boot.

Re:Does not effect OpenBSD or NetBSD

[jasonditz]

Let me just remind you all that this bug does NOT effect the OS/2 Warp 3.0 kernel.

I repeat, the OS/2 Warp kernel is not effected!

In case you didn't figure it out from the article

[edhall]

This is a local vulnerability; it doesn't, in and of itself, make servers vulnerable. Even if someone has a local account on a system, it takes hours of CPU time to perform an exploit.

It looks like the bug (and the fix) were already announced (and committed to CVS) but that the possibility of using the bug in an exploit was not revealed until now (and might not even have been appreciated by the original reporter).

-Ed

Re:Rackspace

[xA40D]

if I use FreeBSD then I will be hacked.

Not exactly a reprasentative poll but...

I use FreeBSD. I work in an office with 7 other people who all use RedHat. Out of the 8 of us, over the past 2 years, I'm the only one never to have been hacked.

The job I had before this was with an ISP which used FreeBSD for all their core systems. And in their whole history they had only ever had one FreeBSD system hacked, and that turned out to be an ex-employee who had added his public key to someobody elses authorized_keys file.