[EMAIL PROTECTED] wrote: > Recently multiple servers of the Debian project were compromised using a > Debian developers account and an unknown root exploit. Forensics > revealed a burneye encrypted exploit. Robert van der Meulen managed to > decrypt the binary which revealed a kernel exploit. Study of the exploit > by the RedHat and SuSE kernel and security teams quickly revealed that > the exploit used an integer overflow in the brk system call. Using > this bug it is possible for a userland program to trick the kernel into > giving access to the full kernel address space. This problem was found > in September by Andrew Morton, but unfortunately that was too late for > the 2.4.22 kernel release.
Does this mean that the vendor-sec concept has failed, or that there is a leak on that list? Or is this just an issue which is very specific to Linux and its maintainer situation? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
