Here's for all the "more secure than MS" posters who probably don't even subscribe to security updates notifications for their own OS. This is just what I had in my inbox today so it's a totally random security flaw list affecting everyone who was up to date on RH Linux. Hmm lots of flaws for an "inherently more secure OS".
Updated kernel packages are now available fixing several security vulnerabilities.
Description: The Linux kernel handles the basic functions of the operating system.
Several security issues have been discovered affecting the Linux kernel:
CAN-2003-0461:/proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.
CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.
CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.
CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.
CAN-2003-0501: The/proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in/proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.
CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.
CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
All users are advised to upgrade to these errata packages, which contain backported security patches correcting these vulnerabilities.
Important:
If you use Red Hat Linux 7.1, you must have installed quota-3.06-9.71 from RHSA-2003-187, and if you use Red Hat Linux 7.2 or 7.3, you must have installed quota-3.06-9.7 from RHSA-2003-187.
Thank you. I was reading through posts waiting to see if someone already pointed this out rather than bashing Windows wearing their *nix blinders. Can't blieve the post was this far down the page. Being a security admin this was the first thought that came to me reading this. So it takes just over 15 hours to crack *nix. It's a better target considering how many users wouldn't even know it if you ran an app on their box. Cracking Winddows....hmmm....yay solitaire at another persons cpu expense!
I've set up many NAT networks and these problems do not exist if it's set up correctly. Everyone is assuming NAT = 1 IP address in a PAT style configuration. NAT pools can hold whatever range you own and assign to it. Set up a class C pool (or whatever/# you desire), port forward inbound to those who need netmeeting or whatever so they have the virtual IP address to their machine with only the ports you allow, problem solved.
I beg to differ. I've sent out over 2,500 resumes since Jan 1 and actively go after many of them rather than sending a resume & sitting & waiting on the phone to ring. Most of them tell me they received over 400 resumes before they even got the office doors open at 8am because it came out in the morning paper and people wanted to get theirs in first. The others just tell me I'm overqualified without even asking me if I would work for a lower salary (which I would at this point).
With unemployment higher than it's been in decades and companies sending thousands of jobs overseas, this is a bad thing.
Dell starting sending jobs overseas this year too and my department was the very first to go. It was my early Christmas present.
I'm just spending my time off learning more *nix flavors & learning c++ & Perl.
Have you reported a security flaw to Linux or BSD to time how quickly they handle it? I have....you'd be surprised in a bad bad way. Open source also equals people not being paid to fix their bugs when it comes to 3rd party software that compromises the whole OS.
I never said I depended on up2date. I said I subscribed to security update mailing lists. BTW those usually come out before the patch. You're missing my point tho. The parent thread said "Linux is secure, secure, SECURE." implying something the majority of *nix users adhere to & end up being one of the compromised machines trying to get into my network & trying to send email via open relay.
Please explain to me why I had 6 attacks today captured by norton personal firewall & my linux firewall that were determened to be *nix boxes. Also tell me why as security admin I keep having to call customers telling them their box has been compromised. Maybe because they think anything besides Windows is "secure" out of the box?
Umm...you don't subscribe to update lists on kernels & software do you?;) I've been in security admin for years and find comments like this humorous;). My Redhat has sent me over 10 updates in the last 2 weeks for security holes. That's..umm...more than microsoft sent me. No I'm not trolling saying Microsoft is better..just saying take off the blinders. Humans write code...period...no matter what the OS. And when you get to several thousand lines of code you can't "put some thought" into every scenario someone will try. I run Linux, Debian, Windows 2K, and XP at my home & stay up to date on security of all of them. You should try sometime..you might find your linux is pretty full of holes if you haven't checked in the last 2 weeks.
BTW you do know that nimda hit several models of HP printers too don't you?
those "crystal" drives I read about in Scientific American so long ago? It used 3D storage & could hold something like 6G in a single crystal if I remember correctly. Anyone ever hear anything else about those other than they made one & it was a prototype? I'm guessing maybe it's patented & being sat on?
I submitted this yesterday and it was space.com that reported it before Yahoo. Weird how sometimes a story gets skipped by one user and gets posted when another user posts it a day later.
How the hell is saying this technology is a ripoff from smartcards a troll? Are you mods still on crack? I use smartcards and they're more configurable than these from what I read about them.
I was looking at one that ran Windows CE with GPS, voice recognition, reminders, MP3, etc about 3-4 years ago. When I search for AutoPC now I just get links to the stupid clarion site that is hard to find info on and won't let you go back a page (grrrrrrrr).
This is cool having Linux on one though. They have 802.11b wireless and all that good stuff on the Clarion one.
Haha..yeah I helped grind it to a halt with my 9600 baud slip connection in college too. Oh wait...I was getting max throughput...nm.
I remember finding Doom in college before I even knew what it was. My roommates & I played for weeks on twisted pair 1Mb NICs before the hype was made public. What a nice thing to find in alpha;) (Back when version Xa meant alpha and Xb meant beta).
Say that when you have an 8 year old opening his email with nude pictures & not even an 18+ click here type warning. If that's not evil, it's at least a form of child abuse I think by forcibly subjecting them to things like x x x farmanimals.com.
You need to subscribe to security updates for *nix OS sites. I work in network security and get so many of these notifications that I needed a special email account to store these without filling/cluttering my real inbox. I laugh when the windows vs *nix debates come out on the issue of security. They both have downfalls. Even SSH had a security hole last year.
Slashdot Mirror
to Anonymous Coward:
READ THE NEWSPAPERS. Those are the only jobs listed in great numbers.
Here's for all the "more secure than MS" posters who probably don't even subscribe to security updates notifications for their own OS. This is just what I had in my inbox today so it's a totally random security flaw list affecting everyone who was up to date on RH Linux. Hmm lots of flaws for an "inherently more secure OS".
/proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer
/proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the
Security Advisory - RHSA-2003:238-14
Summary:
Updated 2.4 kernel fixes vulnerabilities
Updated kernel packages are now available fixing several security vulnerabilities.
Description:
The Linux kernel handles the basic functions of the operating system.
Several security issues have been discovered affecting the Linux kernel:
CAN-2003-0461:
password lengths and inter-keystroke timings during password entry.
CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.
CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.
CAN-2003-0501: The
ownership and permissions of already opened entries.
CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by
default.
CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the
same as the local host.
All users are advised to upgrade to these errata packages, which contain backported security patches correcting these vulnerabilities.
Important:
If you use Red Hat Linux 7.1, you must have installed quota-3.06-9.71 from RHSA-2003-187, and if you use Red Hat Linux 7.2 or 7.3, you must have
installed quota-3.06-9.7 from RHSA-2003-187.
And for crying out loud, "spam" is not an acronym so stop writing it in upper case!
Besides the Spam company is suing for using their copyrighted name for canned meat.
Anti-MS comments like this make me wonder how some of these *nix users managed to get through the install portion of their O/S.
Thank you. I was reading through posts waiting to see if someone already pointed this out rather than bashing Windows wearing their *nix blinders. Can't blieve the post was this far down the page. Being a security admin this was the first thought that came to me reading this. So it takes just over 15 hours to crack *nix. It's a better target considering how many users wouldn't even know it if you ran an app on their box. Cracking Winddows....hmmm....yay solitaire at another persons cpu expense!
I've set up many NAT networks and these problems do not exist if it's set up correctly. Everyone is assuming NAT = 1 IP address in a PAT style configuration. NAT pools can hold whatever range you own and assign to it. Set up a class C pool (or whatever /# you desire), port forward inbound to those who need netmeeting or whatever so they have the virtual IP address to their machine with only the ports you allow, problem solved.
hehe...imagine the routing tables on this. Sys Admins would commit suicide.
"we're going to need something like 100 IP addresses for each human being."
.com needed 255 ip's.
Sheesh and it was like an act of congress explaining to my isp that our
I beg to differ. I've sent out over 2,500 resumes since Jan 1 and actively go after many of them rather than sending a resume & sitting & waiting on the phone to ring. Most of them tell me they received over 400 resumes before they even got the office doors open at 8am because it came out in the morning paper and people wanted to get theirs in first. The others just tell me I'm overqualified without even asking me if I would work for a lower salary (which I would at this point).
With unemployment higher than it's been in decades and companies sending thousands of jobs overseas, this is a bad thing.
Dell starting sending jobs overseas this year too and my department was the very first to go. It was my early Christmas present.
I'm just spending my time off learning more *nix flavors & learning c++ & Perl.
Have you reported a security flaw to Linux or BSD to time how quickly they handle it? I have....you'd be surprised in a bad bad way. Open source also equals people not being paid to fix their bugs when it comes to 3rd party software that compromises the whole OS.
During the Texas hearing, Senate sponsor John Carona summed up the money situation nicely during the hearing before the Administrative Committee.
Oh damn...Carona? I thought I voted for Corona as in cerveza!
I never said I depended on up2date. I said I subscribed to security update mailing lists. BTW those usually come out before the patch. You're missing my point tho. The parent thread said "Linux is secure, secure, SECURE." implying something the majority of *nix users adhere to & end up being one of the compromised machines trying to get into my network & trying to send email via open relay.
Please explain to me why I had 6 attacks today captured by norton personal firewall & my linux firewall that were determened to be *nix boxes. Also tell me why as security admin I keep having to call customers telling them their box has been compromised. Maybe because they think anything besides Windows is "secure" out of the box?
Umm...you don't subscribe to update lists on kernels & software do you? ;) I've been in security admin for years and find comments like this humorous ;). My Redhat has sent me over 10 updates in the last 2 weeks for security holes. That's..umm...more than microsoft sent me. No I'm not trolling saying Microsoft is better..just saying take off the blinders. Humans write code...period...no matter what the OS. And when you get to several thousand lines of code you can't "put some thought" into every scenario someone will try. I run Linux, Debian, Windows 2K, and XP at my home & stay up to date on security of all of them. You should try sometime..you might find your linux is pretty full of holes if you haven't checked in the last 2 weeks.
BTW you do know that nimda hit several models of HP printers too don't you?
those "crystal" drives I read about in Scientific American so long ago? It used 3D storage & could hold something like 6G in a single crystal if I remember correctly. Anyone ever hear anything else about those other than they made one & it was a prototype? I'm guessing maybe it's patented & being sat on?
I submitted this yesterday and it was space.com that reported it before Yahoo. Weird how sometimes a story gets skipped by one user and gets posted when another user posts it a day later.
How the hell is saying this technology is a ripoff from smartcards a troll? Are you mods still on crack? I use smartcards and they're more configurable than these from what I read about them.
This is not a troll. It's exactly the same thing a smartcard does.
Sounds like the smartcards to me where you stick it in the slot & it knows your password, domain, etc. Console is locked unless you have the card.
Wow...I'm already planning on putting hokey spokes on my ceiling fan for parties ;)
I was looking at one that ran Windows CE with GPS, voice recognition, reminders, MP3, etc about 3-4 years ago. When I search for AutoPC now I just get links to the stupid clarion site that is hard to find info on and won't let you go back a page (grrrrrrrr).
This is cool having Linux on one though. They have 802.11b wireless and all that good stuff on the Clarion one.
Haha..yeah I helped grind it to a halt with my 9600 baud slip connection in college too. Oh wait...I was getting max throughput...nm.
;) (Back when version Xa meant alpha and Xb meant beta).
I remember finding Doom in college before I even knew what it was. My roommates & I played for weeks on twisted pair 1Mb NICs before the hype was made public. What a nice thing to find in alpha
Say that when you have an 8 year old opening his email with nude pictures & not even an 18+ click here type warning. If that's not evil, it's at least a form of child abuse I think by forcibly subjecting them to things like x x x farmanimals .com.
Yeah and within 5 years we'd have satellite saturation on incoming bandwidth from Mars too.
For only $5 (plus $80,000 S&H) you can have some Martian dirt!
You need to subscribe to security updates for *nix OS sites. I work in network security and get so many of these notifications that I needed a special email account to store these without filling/cluttering my real inbox. I laugh when the windows vs *nix debates come out on the issue of security. They both have downfalls. Even SSH had a security hole last year.