Affects all Linux systems,... Except when it doesn't...
|
| Author | Content |
|---|---|
| JaseP Jan 27, 2015 7:01 PM EDT |
The announcement says that it affects all Linux systems,... Which is true,... except when it doesn't... The bottom line is that the bug was inadvertently patched 2 years ago, but that because it wasn't listed as a security patch, it didn't get back-ported. Ars Technica also had an article about it, in which the threat was more overblown than in this article... Patches have been already released for most major distros. The kernel does not need to be restarted (but some services might have to be). The Ars Technica article made more noise about restarting services than was necessary, claiming that servers would need to be restarted and as a result, probably wouldn't be and leave them vulnerable... So, it's "Yet Another Sky-Is-Falling Bug,"... YASB, for short... |
| seatex Jan 27, 2015 7:41 PM EDT |
JaseP - you know they have to over-hype anything like this whenever the opportunity arises. It's their journalistic duty to produce only the best click-bait they possibly can. |
| BernardSwiss Jan 27, 2015 10:16 PM EDT |
Actually, I thought it was a fairly reasonable article. (and updates with more info are being added). Perhaps the [Ars Technica] article is a little strongly worded -- but then, apparently out of concern about the temptations for system admins to "put off" necessary measures (talking about servers, here) because of the possible/likely need to reboot the whole system. I think this is the real issue; the human factor is always a consideration. Some people will simply not want to accept the down-time -- and won't catch and re-start all the old processes either. . edit: for clarity: it appears I was conflating the Ars Technica article with this one (which I wouldn't even describe as "strongly worded"). |
| JaseP Jan 27, 2015 10:37 PM EDT |
The problem is not the bug, the patch, or getting the word out,... The problem is people acting like, "OMG!!! Another deadly serious Linux vulnerability!!!" when none of that is really true; 1) it's not really a Linux (as in kernel) bug, it's a libc bug... 2) it's not deadly serious,... just pretty serious (as in do something about it,... but not cause a panic),... and 3) it's not really a vulnerability, in the sense that there is the potential to exploit it, on SOME services running on a server, but not all (or necessarily the most popular), and only a proof-of-concept exploit. (Caveat: I know some will take issue with my wording, especially #3,... vulnerability vs. exploit,... but the sentiment is the same no matter how you word it). In short,... Keep on reporting security flaws,... keep on patching them,... take them seriously,... but absolutely stop the doomsday predictions... a/k/a "Worse than the XXXXXX bug!!!..." They are getting old... |
| mrider Jan 28, 2015 12:31 PM EDT |
Looks like we'll get more mileage* from the story than the vulnerability. I just ran apt-get update and apt-get upgrade last night, and unsurprisingly Debian has already back-ported the fix. * Funny how I've never heard the word "kilometerage". :) |
| CFWhitman Jan 28, 2015 5:25 PM EDT |
So far I've only seen one service that tested out as vulnerable to this exploit, Exim. On the other hand I've seen a list of around thirty that tested out not to be vulnerable for one reason or another. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!