On Friday 26 August 2016 14:19:25 Jeff Epler wrote: > Linuxcnc.org has never done security updates for kernels or other > prerequisites for LinuxCNC that we host on linuxcnc.org's apt > repositories, and absent new volunteers who will contribute their time > to do so this is unlikely to change. > In this environment, I can't argue. You all do what you can, and adding that to the responsibilities makes zero sense. I guess I posted that more as a heads up than anything else.
> In the case of remote (network) kernel vulnerabilities, I recommend > never connecting a linuxcnc machine to an untrusted network. I put > all mine behind nat-style technologies. So do I, and I can't believe any of these folks ever doing it otherwise. My router runs dd-wrt and has for a decade or more. Only one has come thru it except the viewers of my web page, which is on this machine. That singular person I needed help from, and gave him the pw's, which are suitably lengthy. > No, I don't know whether NAT > mitigates this particular CVE. This one, since it would come into an established connection, would rather effectively bypass any NAT protections. OTOH, my server is bare bones, no accessory stuff to dress it up, so it may be thats enough to discourage the black hats. And its running in a user:group that is intentionally setup as one of the walls of the sandbox. But I am rather far from being a guru on this. Perhaps, since I am running apache2, I am the test monkey? :) I've played the part of the coal mine canary for long enough I enjoy it. And I've good backups. ;-) > In the case of local vulnerabilities, any user who can run "realtime > start" owns the machine so local privilege escalation attacks are > uninteresting to me. I hadn't considered that, but you're right as rain. (unless you are up to your nose in it like some of Louisiana) Thanks Jeff Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> ------------------------------------------------------------------------------ _______________________________________________ Emc-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/emc-developers
