Full Disclosure mailing list archives
Re: Linux Kernel CIFS Vulnerability
From: "Valdis' Mustache" <security.mustachio () gmail com>
Date: Thu, 9 Apr 2009 22:52:54 -0500
Andrea, Do not be alarmed! At the time of this writing, my owner is fervently developing a response on this topic! It is a response which I have no doubt will apply a virtual salve to all of your bugbears, and assuage other tangential (and even unrelated) concerns as well. Nonetheless, I feel compelled ejaculate on this topic myself - albeit prematurely - since my response predates the presumably forthcoming warnings soon to issue from the varied and sundry organisations who bundle the Linux kernel distribution with their own customized versions of Tuxpaint and SameGnome. On to the point. I must assert that despite the sadly DeRaadtian handling of this bug, a choice to run the Linux kernel and related software bundled with it still remains a sound choice from a security standpoint. This remains especially veritable if the Linux kernel in question is improved with the addition of the excellent PageExec extensions, as developed by an anonymous (and rumors have it, bemustached) gentleman in Eastern Europe, and the unfortunately-named GotRoot access control and kernel hardening modules, authored by a lovable misfit ensconced somewhere in the bowels of a sanitarium in Maryland. While the whims of Finns remain - as ever - unfathomable and abstruse, this mustache stands firm as a believer that the selection of Linux is the lesser of the four evils (BSD, Linux, Windows, and, least of all, Apple) servicably available for my hairy computing choices. Your Humble Servant, A bajusz a Valdis On Thu, Apr 9, 2009 at 9:52 AM, Andreas Bogk <andreas () andreas org> wrote:
Thierry Zoller wrote:AB> Neither the Linux kernel team, the CIFS maintainers nor any of AB> the commercial Linux distributors bothered to send out an advisory. AB> I'm at loss for words other than "irresponsible, arrogant AB> assholes". Linux 2009 == Microsoft 2002. I second that, the reason is intersintg too; linus considers security bugs as nothing else than normal bugs.I don't mind his policy of "just fixing the bug". But I do mind when the changelog doesn't clearly state "hey, we're fixing a security issue here".The door closes slowly for Linux in enterprises.So true, and so sad. I remember a time when using Linux was giving actual security benefits over using Windows. These times are over. And the security gap between MS and Open Source products will continue to widen. The only OS project I know about that seriously tried to improve fundamental architectural security issues was BitC and CoyotOS. BitC is a programming language designed to combine the speed of C with the soundness of strongly typed fundamental languages, thus preventing a lot of bug classes from the start, and enabling correctness proofs across the code. The project won't be finished, since the main author, Jonathan Shapiro, will soon hold a "fairly senior position" in the Midori project at MS. Andreas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Valdis' Mustache (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Raj Mathur (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Nick Boyce (Apr 09)
- Re: Linux Kernel CIFS Vulnerability Marcus Meissner (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Marcus Meissner (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 10)
- Re: Linux Kernel CIFS Vulnerability Eugene Teo (Apr 11)
- Re: Linux Kernel CIFS Vulnerability Andreas Bogk (Apr 13)
- Re: Linux Kernel CIFS Vulnerability Eugene Teo (Apr 13)
- Re: Linux Kernel CIFS Vulnerability Thierry Zoller (Apr 10)