I love open source. But I also work with closed source. I like having a patch available when a vulnerability is announced. I get this with IIS, Exchange, etc. I didn't this time because the people who published the flaw never gave the vendor time to address it.
Sounds to me like it's nothing more than your basic overflow. While the article from Apache mentions the possible execution of code, I think they're referring to the Windows platform.
The fact that you have to try and workout what they are trying to say in the announcement is not a good thing. When you're announcing a vulnerability, the announcement should make it clear what the effects are. If the effects differ from system to system, that should be clear and the impact of the flaw should be clearly described for each system.
The patch they provide doesn't solve the problem, they failed to give the vendor any notice and they didn't even work out exactly what is affected. That sounds a lot like uninformed and questionable to me.
What happened to the lead time given to a software vendor before publishing a vulnerability ? I thought that all professional 'sploit hunters honoured this.
The idea is to give the vendor time to produce a patch so that when you announce the vulnerability there is an official patch available. It's 22:16 here now and I'll be sat up half the night waiting to see if Apache release a patch because I have around 20 servers that run Apache, and I can't sleep until I know they're secure.
I'm all for full disclosure, but I much prefer RESPONSIBLE full disclosure. If anyone from IIS is reading this, you're a bunch of immature mornons. Play by the rules or fuck off!
I really think that this is a bad idea, mostly because of the lack of controlled environments. Yes, you can try to hold the engineer of a bridge responsible if it collapses, but when was the last time you saw a couple of thousand people gathered around the supports of a bridge whacking it with hammers ?
If I find an exploit in software, my community praise me. If I try to find an exploit in a bridge, I go to jail for vandalism or some such crime.
Good for you. Unfortunately, most corporations aren't you. How many online banks can only be used with IE? Quite a few in the UK and RSA at the moment. How many online services such as tax returns can only be done with IE? Now do you see the problems?
Corporations will code to take advantage of all the neat little IE features. This leaves users of other browsers out in the cold.
Has anyone ever gone to Microsoft, killed the guards , boarded the company and stolen their software? Has anyone had this same group of people come round their house, kill the family and take the software ?
Piracy is the act of boarding a ship and taking the goods by force. There is usually a lot of killing involved.
The industry started using this word to make people associate the non-payment of licence fees with this wanton killing and mayhem. Sites like this should know better than to propagate this meme.
Lets face it - Most companies these days are telling us that even if we pay them money, we still never own the product! So how can these people be stealing it? The company still has their copy at the end of the day and many of the people who copied it probably would not have bought it even if they could not copy it.
Don't believe the lost sales figures. And please stop using the word pirate to describe people who commit Intellectual Property infringements. You are just feeding the media hype.
So when a company that is built around the success of the GNU/Linux platform makes changes to it's ethics, software licence, etc. we call that good business sense.
When Borland, Microsoft or Real do the same thing, we call that evil, wrong and call for their blood.
Porting apps to Cocoa is not easy. For starters it uses objective C and most of the apps that we need to port are c. Secondly, there is a hell of a lot of interface code (GTK, GDK, QT, whatever) that needs pulling out of the app before you can even start replacing it with Cocoa. Then, and only then can you start rebuilding the frontend.
So there is a GNU/Linux distribution with the equivalent of FreeBSD's cvsup and make world process. Yah. Whoohoo.
So now we can have packages optimised for out platform at the cost of building everything from source. Sounds like a heavy cost to me. Wouldn't it be more efficient to provide a couple of different binary packages for each package a'la mandrake (i586 and i486) ? Compile once and let everyone install them as opposed to everyone compiling ?
I've recently given in and bought a Mac. The main reason I did this is that I want the power of Unix, but I needed MS Office.
Say what you like about the open source tools out there (Abiword, StarOffice, etc.) they DO NOT allow you to collaborate on documents with coworkers and clients. In most cases, I could open them, but on saving them certain formatting that my client / coworker had included were lost.
In the academic world in which RMS and a lot of Linux / Free Unix enthusiasts live, you can get away with telling people to sod off and resend the doc as an RTF. Even for the several years of being a sysadmin I was normally able to get away with it.
However when you become a manager and are responsible for company revenue things change. My clients have tender documents as word templates. If I cannot use those, I cannot tender. They don't want to be educated. They want to put some work out. There is A LOT of competition out there, and they don't care that I want an RTF. Also, clients will send you a word document that they want input on. Damage the formatting that they spent hours on, and you're in the dog box. The dog box is not a good place to be for profitability.
In the real world, you need to collaborate. Because most people use Word as their document format and Excel as their spreadsheet format, you use these or lose out.
The only way that this will change is if an office suite appears on the market that is able to both read and more importantly SAVE in these formats without losing formatting or information.
The biggest problem with dependencies in RPM's is that there is a lot of human interaction required. I've seen A LOT of packages that require one of the following, thus causing a problem :
Specific sofware package (eg. Sendmail)
Specific version of package (eg. Sendmail 9.1.0)
Just a library without saying what package to get it from (eg. libperl.so)
In each of these cases you have a problem. If I have Sendmail 10 installed and I'm installing an RPM that wants Sendmail 9, while I satisfy the requirements, it won't install. I'm not sure how debian deals with this.
If I have Exim installed, and I'm installing a package that wants Sendmail it won't install. Debian packages generally want MTA, a requirement which is satisfied by either Sendmail or Exim (or postfix for that matter).
If a package just wants a library without saying what package it comes from, apt is NEVER going to know what to install to satisfy that dependency without maintaining an Index of the contents of all packages.
These are deficiencies in the packages created by the package maintainers. There are other problems with the actual RPM way of doing things which are further compounded by the distribution builders.
A standard Mandrake install has about 30 packages as required that I have NEVER used. They are only required for certain circumstances, most of which I never needed. But I have to have that clutter lying around my system.
RPM is broken at 3 layers IMHO. The distribution builders, the package maintainers and the design of the application. Wrapping all of this in APT isn't going to solve anything. But until a viable alternative is marketted by someone with the power to drive it, RPM will remain the industry standard for commercially targetted GNU/Linux distributions.
Personally, I use FreeBSD and I love the make world solution for the base distribution and the ports solution for packages. This keeps me current, makes sure that all binaries are optimised to my processor and provides me with a one stop upgrade point. No hassles, no dependency woes and more time to get on with my job.
I have no union that says I only have to work 8 hour shifts. As a result I work between 10 and 16 hour shifts on average. After 5 days of doing that, the last people I want to see on a weekend are the people I saw 16 hours a day for the previous 5 days.
As a sysadmin, I prefer to have each service running on a separate port and if it is a soap based service, just add the port number to the request.
This means that I can control what is being accessed by whom at the firewall, machine and application level.
The big problem with this is that many corporate firewalls prevent outgoing connections to non-standard ports. So if I want my developers apps to be open to the world, I often have to go against my first choice and run the services on port 80.
Just my 2p
Re:Which releases are production stable?
on
Linux 2.4.13
·
· Score: 3, Funny
So because the kernel has been heavily tested, you should use it. Don't worry about the local root exploits published to bugtraq on 18 October by Rafal Wojtczuk.
If RedHat want to compete with Microsoft in the server arena, comments like this should _not_ be made after a vulnerability is released!
The comments about it already being done are not strictly true. ReiserFS was introduced in 2.4.1 after feature freeze. There is no way that you can say ReiserFS was a bugfix. That is big time new development.
Having followed this topic on the ipf list for the past couple of days, I'm not sure if the change is as serious as people think, or if it is more serious.
What I do know is this. Linux has had three very different filtering systems over the past three major kernel revisions. ipfwadm in 2.0, ipchains in 2.2 and netfilter / iptables in 2.4. Granted, iptables aren't that big a change from ipchains, but it's still a pain to have to upgrade all your filter scripts and learn new syntax every time a new major kernel release happens.
Over the same period of time ipfilter has stayed the same. It has retained it's syntax and most importantly, it has run on many different systems.
ipfilter was one of the contributing factors in our decision to drop Linux in my company. We have to maintain sun solaris boxes for certain clients, and we already use ipfilter on our OpenBSD firewall. But we had filters on all machines as additional layers of security. By dropping Linux and moving to FreeBSD we still have a powerful server platform, and we get to standardise on our filtering tools
For us, this is a good thing. Less different packages to maintain in an organisation means less chance of things going wrong. Less chance of things going wrong leads to more free time for my staff and me.
So ipfilter has been a blessing for us. We can now use the same filtering scripts on our database servers be they Sun or FreeBSD. We have the same webserver set of filtering scripts for Solaris, FreeBSD and OpenBSD. Everything all nice and tight.
Now the downsides. When the fragment bug was found in ipfilter 3.4.16, we had to upgrade it on 20 servers. That's a pain. If this licence does cause people to shy away from ipfilter that will be bad too, purely because there will be less support going into it and it will take longer for things to get noticed / fixed.
I read talk of OpenIPF, but how long will that be? It was quite a while before OpenSSH was able to work as a drop in replacement for SSH.
My team and I are salaried. We have a contact cell phone that is passed between techs. This is so that we can user email to sms gateways to get messages to the phone (monitoring system). The reason that we do this is because we haven't found a pager that offers this kind of service.
Last week we lost a machine on wednesday (hardware failure). We worked on that until 2am thursday. Got to work again at 9am thursday. We then had problems with one of our sites starting thursday night, 18:00. The software that runs that site is proprietry, so no community support. That saw us through until 2am Friday morning.
8:02am Friday morning, we get a call from the client on the emergency cell phone (for alerts only - it says so in the contract!) 'How are things going?'
me: 'urgh'
him: 'It's ***. How are things with the site?'
me: 'urgh. sent an e-mail. Please see e-mail?'
him: 'I just want a quick update. I'm not at work yet.'
me: 'its up. Email. Tired. urgh'
him: 'What was the problem?'
me: 'please check your e-mail. I'm going to sleep'
And because we're salaried, that's just the breaks. No overtime pay. It says so in the contract. No rights to the 48 hour work week as defined by the EU. Had to waive those in the contract. No right to sleep in when you've pulled to 18 hour shifts in a row. Says so on the cell phone:) /* Wayne Pascoe
There are some valid points lately. Recently on the linux kernel mailing list, Linus made a post saying
'I've basically thrown away all patches sent to me so far, and I will continue to do so at least over the weekend. I'm not going to bother thinking about patches for a few days.'
How many people who submitted useful patches that the kernel _needs_ won't bother resubmitting? Hell, what's the point? I do all the work, and he throws them away.
So yes, I do believe that in some ways Linus is hurting Linux.
And as for the state of the kernel, all kernels prior to 2.2.16 are insecure. They have a huge hole that allows an attacker to lock your machine with a structured tcp packet / series of packets. But all kernels since 2.2.15 (up to and including 2.2.19pre2) are unusable for high traffic web sites. The VM subsystem is broken. I am using Andrea's patch against 2.2.18 and that seems to help, but the stable kernel has been broken for almost a year now!
From what I have read so far, raid 5 is now broken under 2.4.0 (under a reconstruct / degraded mode) and the VM subsystem is _still_ broken.
Slashdot Mirror
I love open source. But I also work with closed source. I like having a patch available when a vulnerability is announced. I get this with IIS, Exchange, etc. I didn't this time because the people who published the flaw never gave the vendor time to address it.
It hasn't been corrected yet. Many sysadmins in Europe will be sitting up tonight waiting for a patch.
Sounds to me like it's nothing more than your basic overflow. While the article from Apache mentions the possible execution of code, I think they're referring to the Windows platform.
The fact that you have to try and workout what they are trying to say in the announcement is not a good thing. When you're announcing a vulnerability, the announcement should make it clear what the effects are. If the effects differ from system to system, that should be clear and the impact of the flaw should be clearly described for each system.
In this case, HELL YES!
The patch they provide doesn't solve the problem, they failed to give the vendor any notice and they didn't even work out exactly what is affected. That sounds a lot like uninformed and questionable to me.
WTF!?!?!
What happened to the lead time given to a software vendor before publishing a vulnerability ? I thought that all professional 'sploit hunters honoured this.
The idea is to give the vendor time to produce a patch so that when you announce the vulnerability there is an official patch available. It's 22:16 here now and I'll be sat up half the night waiting to see if Apache release a patch because I have around 20 servers that run Apache, and I can't sleep until I know they're secure.
I'm all for full disclosure, but I much prefer RESPONSIBLE full disclosure. If anyone from IIS is reading this, you're a bunch of immature mornons. Play by the rules or fuck off!
I really think that this is a bad idea, mostly because of the lack of controlled environments. Yes, you can try to hold the engineer of a bridge responsible if it collapses, but when was the last time you saw a couple of thousand people gathered around the supports of a bridge whacking it with hammers ?
If I find an exploit in software, my community praise me. If I try to find an exploit in a bridge, I go to jail for vandalism or some such crime.
Anyone know how I go about changing the splash screen in OS X? I can't find the mozilla.bmp file anywhere on my system using find :(
Good for you. Unfortunately, most corporations aren't you. How many online banks can only be used with IE? Quite a few in the UK and RSA at the moment. How many online services such as tax returns can only be done with IE? Now do you see the problems?
Corporations will code to take advantage of all the neat little IE features. This leaves users of other browsers out in the cold.
Has anyone ever gone to Microsoft, killed the guards , boarded the company and stolen their software? Has anyone had this same group of people come round their house, kill the family and take the software ?
Piracy is the act of boarding a ship and taking the goods by force. There is usually a lot of killing involved.
The industry started using this word to make people associate the non-payment of licence fees with this wanton killing and mayhem. Sites like this should know better than to propagate this meme.
Lets face it - Most companies these days are telling us that even if we pay them money, we still never own the product! So how can these people be stealing it? The company still has their copy at the end of the day and many of the people who copied it probably would not have bought it even if they could not copy it.
Don't believe the lost sales figures. And please stop using the word pirate to describe people who commit Intellectual Property infringements. You are just feeding the media hype.
So when a company that is built around the success of the GNU/Linux platform makes changes to it's ethics, software licence, etc. we call that good business sense.
When Borland, Microsoft or Real do the same thing, we call that evil, wrong and call for their blood.
Got it. I'll go back to reading now.
Porting apps to Cocoa is not easy. For starters it uses objective C and most of the apps that we need to port are c. Secondly, there is a hell of a lot of interface code (GTK, GDK, QT, whatever) that needs pulling out of the app before you can even start replacing it with Cocoa. Then, and only then can you start rebuilding the frontend.
This smacks of simply putting the squeeze on sun. Big talk, but I'll believe it when I see it.
Sounds like Larry wants some discounts out of Scot.
So there is a GNU/Linux distribution with the equivalent of FreeBSD's cvsup and make world process. Yah. Whoohoo.
So now we can have packages optimised for out platform at the cost of building everything from source. Sounds like a heavy cost to me. Wouldn't it be more efficient to provide a couple of different binary packages for each package a'la mandrake (i586 and i486) ? Compile once and let everyone install them as opposed to everyone compiling ?
I've recently given in and bought a Mac. The main reason I did this is that I want the power of Unix, but I needed MS Office.
Say what you like about the open source tools out there (Abiword, StarOffice, etc.) they DO NOT allow you to collaborate on documents with coworkers and clients. In most cases, I could open them, but on saving them certain formatting that my client / coworker had included were lost.
In the academic world in which RMS and a lot of Linux / Free Unix enthusiasts live, you can get away with telling people to sod off and resend the doc as an RTF. Even for the several years of being a sysadmin I was normally able to get away with it.
However when you become a manager and are responsible for company revenue things change. My clients have tender documents as word templates. If I cannot use those, I cannot tender. They don't want to be educated. They want to put some work out. There is A LOT of competition out there, and they don't care that I want an RTF. Also, clients will send you a word document that they want input on. Damage the formatting that they spent hours on, and you're in the dog box. The dog box is not a good place to be for profitability.
In the real world, you need to collaborate. Because most people use Word as their document format and Excel as their spreadsheet format, you use these or lose out.
The only way that this will change is if an office suite appears on the market that is able to both read and more importantly SAVE in these formats without losing formatting or information.
The biggest problem with dependencies in RPM's is that there is a lot of human interaction required. I've seen A LOT of packages that require one of the following, thus causing a problem :
In each of these cases you have a problem. If I have Sendmail 10 installed and I'm installing an RPM that wants Sendmail 9, while I satisfy the requirements, it won't install. I'm not sure how debian deals with this.
If I have Exim installed, and I'm installing a package that wants Sendmail it won't install. Debian packages generally want MTA, a requirement which is satisfied by either Sendmail or Exim (or postfix for that matter).
If a package just wants a library without saying what package it comes from, apt is NEVER going to know what to install to satisfy that dependency without maintaining an Index of the contents of all packages.
These are deficiencies in the packages created by the package maintainers. There are other problems with the actual RPM way of doing things which are further compounded by the distribution builders.
A standard Mandrake install has about 30 packages as required that I have NEVER used. They are only required for certain circumstances, most of which I never needed. But I have to have that clutter lying around my system.
RPM is broken at 3 layers IMHO. The distribution builders, the package maintainers and the design of the application. Wrapping all of this in APT isn't going to solve anything. But until a viable alternative is marketted by someone with the power to drive it, RPM will remain the industry standard for commercially targetted GNU/Linux distributions.
Personally, I use FreeBSD and I love the make world solution for the base distribution and the ports solution for packages. This keeps me current, makes sure that all binaries are optimised to my processor and provides me with a one stop upgrade point. No hassles, no dependency woes and more time to get on with my job.
Speaking of MMORPG's, does anyone know if Asherons call is still being played and what the servers / services around it are like ?
I have no union that says I only have to work 8 hour shifts. As a result I work between 10 and 16 hour shifts on average. After 5 days of doing that, the last people I want to see on a weekend are the people I saw 16 hours a day for the previous 5 days.
As a sysadmin, I prefer to have each service running on a separate port and if it is a soap based service, just add the port number to the request.
This means that I can control what is being accessed by whom at the firewall, machine and application level.
The big problem with this is that many corporate firewalls prevent outgoing connections to non-standard ports. So if I want my developers apps to be open to the world, I often have to go against my first choice and run the services on port 80.
Just my 2p
FreeBSD (http://www.freebsd.org/)
So because the kernel has been heavily tested, you should use it. Don't worry about the local root exploits published to bugtraq on 18 October by Rafal Wojtczuk.
If RedHat want to compete with Microsoft in the server arena, comments like this should _not_ be made after a vulnerability is released!
The comments about it already being done are not strictly true. ReiserFS was introduced in 2.4.1 after feature freeze. There is no way that you can say ReiserFS was a bugfix. That is big time new development.
Having followed this topic on the ipf list for the past couple of days, I'm not sure if the change is as serious as people think, or if it is more serious.
What I do know is this. Linux has had three very different filtering systems over the past three major kernel revisions. ipfwadm in 2.0, ipchains in 2.2 and netfilter / iptables in 2.4. Granted, iptables aren't that big a change from ipchains, but it's still a pain to have to upgrade all your filter scripts and learn new syntax every time a new major kernel release happens.
Over the same period of time ipfilter has stayed the same. It has retained it's syntax and most importantly, it has run on many different systems.
ipfilter was one of the contributing factors in our decision to drop Linux in my company. We have to maintain sun solaris boxes for certain clients, and we already use ipfilter on our OpenBSD firewall. But we had filters on all machines as additional layers of security. By dropping Linux and moving to FreeBSD we still have a powerful server platform, and we get to standardise on our filtering tools
For us, this is a good thing. Less different packages to maintain in an organisation means less chance of things going wrong. Less chance of things going wrong leads to more free time for my staff and me.
So ipfilter has been a blessing for us. We can now use the same filtering scripts on our database servers be they Sun or FreeBSD. We have the same webserver set of filtering scripts for Solaris, FreeBSD and OpenBSD. Everything all nice and tight.
Now the downsides. When the fragment bug was found in ipfilter 3.4.16, we had to upgrade it on 20 servers. That's a pain. If this licence does cause people to shy away from ipfilter that will be bad too, purely because there will be less support going into it and it will take longer for things to get noticed / fixed.
I read talk of OpenIPF, but how long will that be? It was quite a while before OpenSSH was able to work as a drop in replacement for SSH.
Just my thoughts.
/* Wayne Pascoe
Community service as punishment for doing community service? Cute :)
How could luring people away from Windows be considered as anything other than community service :)
/* Wayne Pascoe
My team and I are salaried. We have a contact cell phone that is passed between techs. This is so that we can user email to sms gateways to get messages to the phone (monitoring system). The reason that we do this is because we haven't found a pager that offers this kind of service.
:)
Last week we lost a machine on wednesday (hardware failure). We worked on that until 2am thursday. Got to work again at 9am thursday. We then had problems with one of our sites starting thursday night, 18:00. The software that runs that site is proprietry, so no community support. That saw us through until 2am Friday morning.
8:02am Friday morning, we get a call from the client on the emergency cell phone (for alerts only - it says so in the contract!) 'How are things going?'
me: 'urgh'
him: 'It's ***. How are things with the site?'
me: 'urgh. sent an e-mail. Please see e-mail?'
him: 'I just want a quick update. I'm not at work yet.'
me: 'its up. Email. Tired. urgh'
him: 'What was the problem?'
me: 'please check your e-mail. I'm going to sleep'
And because we're salaried, that's just the breaks. No overtime pay. It says so in the contract. No rights to the 48 hour work week as defined by the EU. Had to waive those in the contract. No right to sleep in when you've pulled to 18 hour shifts in a row. Says so on the cell phone
/* Wayne Pascoe
There are some valid points lately. Recently on the linux kernel mailing list, Linus made a post saying
'I've basically thrown away all patches sent to me so far, and I will continue to do so at least over the weekend. I'm not going to bother thinking about patches for a few days.'
How many people who submitted useful patches that the kernel _needs_ won't bother resubmitting? Hell, what's the point? I do all the work, and he throws them away.
So yes, I do believe that in some ways Linus is hurting Linux.
And as for the state of the kernel, all kernels prior to 2.2.16 are insecure. They have a huge hole that allows an attacker to lock your machine with a structured tcp packet / series of packets. But all kernels since 2.2.15 (up to and including 2.2.19pre2) are unusable for high traffic web sites. The VM subsystem is broken. I am using Andrea's patch against 2.2.18 and that seems to help, but the stable kernel has been broken for almost a year now!
From what I have read so far, raid 5 is now broken under 2.4.0 (under a reconstruct / degraded mode) and the VM subsystem is _still_ broken.
/* Wayne Pascoe