LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Fedora-Red Hat Crisis (Datamation)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 7:11 UTC (Thu) by njs (subscriber, #40338)
In reply to: The Fedora-Red Hat Crisis (Datamation) by BrucePerens
Parent article: The Fedora-Red Hat Crisis (Datamation)

>This is theoretical, we don't know yet that an undiagnosed exploit was used.

True. If it turns out that RH discovered a previously unknown but used-in-the-wild exploit and then sat on it for some weeks without telling anyone, then everyone will want to lynch them, absolutely.

But I'm assuming that isn't the basis for your argument, because that would mean you were arguing for pre-lynching them *just in case* they were hiding such information, and I respect you more than that :-). It's still *entirely* possible that they don't know the exploit, or it was a known exploit, or it was a previously unknown exploit that they have quietly reported (any number of security fixes have been released since the break-in was discovered, after all). Right?

>But if there was an undiagnosed exploit that potentially effected my system, I'd want a start on protecting myself against it and figuring it out. Having the existing information would certainly help.

But that was my point -- what sort of existing information do you imagine would help? Or make it concrete: in the Debian compromise, the initial announcement basically just said "somehow they got root, we don't know how". That was the only public information available until the details on the exploit were announced ~2 weeks later. How did you act differently during those two weeks? And if you acted differently, then *why*, given that we all know that there are undiagnosed root exploits in all of our boxes?

(Log in to post comments)

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 7:38 UTC (Thu) by BrucePerens (subscriber, #2510) [Link]

How did you act differently during those two weeks?

Well, one thing that was different from this Red Hat thing was that I knew, for sure, that the Debian folks would tell me what went wrong as soon as they could :-)

After the two weeks, I changed my kernel, as soon as I found out it was necessary to do that.

The Fedora-Red Hat Crisis (Datamation)

Posted Sep 11, 2008 12:54 UTC (Thu) by skvidal (subscriber, #3094) [Link]

From here:
http://skvidal.wordpress.com/2008/09/09/fedora-security-i...

"Something that came up at the board meeting today is that some folks are worried that their systems are not completely patched or current. That fedora infrastructure may have patches applied that we cannot tell people about.

Just to dispell this concern. Every package we (fedora infrastructure) have installed or updated on a system since the incident occurred is public and available."

Everything we have, you have.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds