Recent Features
| |||||||||||||
Distribution security response timesDistribution security response timesPosted Sep 23, 2010 10:53 UTC (Thu) by jengelh (subscriber, #33263)Parent article: Distribution security response times
>For SLES, the situation is a little less clear.
man@centaur:~> cat /etc/SuSE-release
No root.
(Log in to post comments)
Distribution security response times Posted Sep 23, 2010 11:37 UTC (Thu) by wookey (subscriber, #5501) [Link]
ooh, that hurts my eyes. Is leet-script really still cool?
Distribution security response times Posted Sep 23, 2010 11:55 UTC (Thu) by nix (subscriber, #2304) [Link]
If you are a teenager, perhaps. (Personally I was fond of good typesetting even then, being quite capable of producing unreadable gibberish merely by putting pen to paper: so producing it intentionally didn't seem so attractive. I wonder if the author of this exploit has copperplate handwriting? :) )
Distribution security response times Posted Sep 23, 2010 13:03 UTC (Thu) by jengelh (subscriber, #33263) [Link]
However, the testcase on http://sota.gen.nz/compat2/ does affect said kernel.
Exploit fails =/> not vulnerable Posted Sep 23, 2010 15:50 UTC (Thu) by price (subscriber, #59790) [Link] You can never rely on an exploit failing to tell you that a system is not vulnerable -- it may fail for some dumb reason that a skilled attacker could fix. Novell says "SUSE Linux Enterprise Server 9, 10, 11, all service packs, and also openSUSE 11.1 - 11.3" are all affected. I don't have a SUSE machine handy, nor SUSE kernel sources, so I can't confirm what the story is -- they may just mean they're in the same boat as RHEL 4, where they don't have compat_mc_getsockopt() but there may be other compat_alloc_user_space() call sites that are vulnerable. That'd take some real work to exploit, if it's possible at all. But I'd bet that at least the newer releases do have compat_mc_getsockopt() and are vulnerable (before yesterday's update), and that it wouldn't be too hard to modify ABftw.c to work.
|
|||||||||||||