12-23-04 - Vulnerabilities/Fixes from Secunia...

[Thoran]

Docbook to man Insecure temp file creation
LPRng Script Insecure temp file creation
Red Hat update for acroread
KDE Buffer Overflow Vlunerability
RPM Finder "web()" Buffer Overflow and Insecure File creation
Debian debmake insecure temp dir creation
Sybase ASE Three Unspecified Vulnerabilities
Fedora update for libtiff
Mandrake update for kdelibs
Mandrake update for logcheck
Mandrake update for krb5
SUSE update for samba
Mandrake update for mplayer
SurgeMail unspecified webmail security issue
2bgal "id album" SQL injection Vulnerability

6 are rated "Highly Critical", all are vulnerabilities or repairs for vulnerabilities in LINUX software or OS (except surgemail which is multiplatform).

[LennonCook]

Which of those applies to the Linux OS? I count... none.
Of these 6 are distro-specific updates - meaning, the fix has already been made in the software before this, and that the fixed version has been landed in that distro's official package repositories. Given the nature of open source, it is highly likely that these were available in non-official repositories in the appropriate format before now. Also, for them to be called 'updates' on Secunia would seem to mean that this has been fixed before it has been made public.
The unspecified vulnerabilities have fixes: this is their very nature. Secunia has been told that holes have been plugged, but not been given the exact details.
So, that leaves 6 vulnerbilities, across multiple unrelated programs.
And let's see how serious they are...
LPRng Script.. : Less Critical, requires local system access (meaning it has to be done sitting right there at that machine, rather than - like most of the Windows flaws - somewhere on the internet).
RPM Finder: Moderately Critical, from remote. But, oh look, this is patched. 5 vulnerabilities, in unrelated programs.
debmake: Less Critical, local system, patched. 4 unpatched, still in unrelated programs.
kpdf buffer overflow: ok, highly critical. But this is also patched. Note that it would be extremely critical if there were exploits in the wild, but.. there aren't.
Docbook-to-Man: less critical
SQL injection: Less critical

Meaning, of all these, there are 3 unpatched. All of these are marked 'less critical', and require local access. Of the remaining 12, 6 were seemingly patched very quickly after they became known (Secunia publishes vulnerbilities a certain time after telling the vendor - a few weeks, I think). That leaves... 6 vulnerabilities in 6 different applications that are patched, but possibly took a while to come out.

Which means that you seem to be exagerating the seriousness of this a bit. Can you try to tell the whole story next time?

[Ziroc]

Can we stop the 'my OS is better than yer OS' please? cannot 2 different OS'es exist? Let's stop this petty stuff. [img]smile.gif[/img]

[Hivetyrant]

Quote:

Originally posted by Ziroc: Can we stop the 'my OS is better than yer OS' please? cannot 2 different OS'es exist? Let's stop this petty stuff. [img]smile.gif[/img]

Couldnt have said it better myself
I think we should have a ban on "Vulnerability to OS's" threads [img]tongue.gif[/img]

[LennonCook]

Quote:

Originally posted by Ziroc: cannot 2 different OS'es exist?

Sure. FreeBSD and Linux. [img]tongue.gif[/img] But I understand...

Quote:

Originally posted by Hivetyrant: I think we should have a ban on "Vulnerability to OS's" threads [img]tongue.gif[/img]

Except that these things are important, and people need to be aware of them. To ban these threads would be to pretend that we live in an ideal, bug-free, secure world. But, we don't, and so pretending that would be detrimental to everyone except the malicious. And that, put simply, would not be good.

[Hivetyrant]

Ok, but we dont need to be told when we are suseptable to attacks through Notepad.
I just think that only serious vulnerabilities should be diiscussed.
Mainly becuase there seem to be so many threads about them here lately. And I know that I am not the only one who is getting sick of them.

[Thoran]

[img]smile.gif[/img] ... just pointing out that a running ticker of vulnerabilities biased to provide the illusion that M$ alternatives are somehow better is a bit ludicrous... we are all living in glass houses.

I also think it's downright dangerous to mislead people into believing that linux is not subject to as many flaws and vulnerabilities as Windows. People should choose an OS knowing that NONE of them are perfect, and only seeing Windows problems highlighted day after day is misleading at best... deceptive at worst. A ban would probably be a good idea, point people to sites like Secunia and tell them to do their own research.

Today's Secunia list, like yesterdays, was dominated by UNIX/LINUX sofware.

[LennonCook]

Saying Linux is more secure isn't a myth. It's true and proven. Yes, proven - this has been researched.

Jarrad, any vulnerability is potentially serious. That one in Wordpad (not notepad [img]tongue.gif[/img] ) was especially serious, since it was a buffer overflow (meaning it can allow basically anything to happen that the OS lets that program do (which is, in all OS's, probably not what you think). But, I do try to limit it to only the serious flaws, in programs people are likely to have installed... if I didn't do that, my post count would either be alot higher, or reset for spamming. [img]tongue.gif[/img]

[Ziroc]

Lennon, did I not just say chill it!?


NO software is EVER 100% safe. And never will be. ALL code has mistakes, ALL code has vulnerabilities. As long as there are people that seek them.

MMMkay? [img]smile.gif[/img] Now drop it, and Merry Christmas!

[LennonCook]

Quote:

Originally posted by Ziroc: Lennon, did I not just say chill it!?

Well, not in those exact words..

Quote:

NO software is EVER 100% safe. And never will be. ALL code has mistakes, ALL code has vulnerabilities. As long as there are people that seek them.

Except maybe Wordpad. Oh, wait... [img]tongue.gif[/img]

EDIT: Fixed quotes.

[ 12-25-2004, 05:33 PM: Message edited by: LennonCook ]