Ralph Shumaker wrote:
[snip]
Posting links from Slashdot doesn't have much value. But if you had
done a modicum of research you could have enlightened us. For example,
I saw that article and wondered about how long the vulnerability
existed. So I went to CERT <http://www.cert.org> and did a search on
madwifi. I found that CERT had issued an advisory in early DECEMBER
2006 (2006-12-08) <http://www.kb.cert.org/vuls/id/925529>. From there
I found that the madwifi folks had issued the patch ONE DAY BEFORE THE
ADVISORY. A fixed version of the madwifi drivers has been available
since that day.
Odd that.
You didn't answer Lan's question. He (nor I) saw your warning. When
did you warn us?
I didn't need to, because I know that as good security conscience Linux
users you keep your systems up to date, subscribe to the CERT list and
periodically review sites like Security Focus <http://www.securityfocus.com>
But just in case you don't do that, here are some of the latest items
from Security Focus:
* X.Org X11 XC-MISC Extension Integer Overflow Vulnerability
* KDE Konqueror/IOSlave FTP PASV Port-Scanning Vulnerability
* KDE Konqueror KHTML Library Title Cross Site Scripting Vulnerability
CONSIDER YOURSELF WARNED!
Unless you haven't updated your madwifi drivers since mid-December
2006 and are still at less than version 0.9.2.1 you aren't vulnerable
to this exploit.
The value in this story is that the following happened:
1) Someone found a flaw
2) They quietly contacted the madwifi team
3) The madwifi team fixed the flaw
4) The madwifi team publishes a fix
5) The world is notified that there is a problem and a fix is available
I think this is the way it should be.
Agreed!
The bad part of this story is that somehow something that was found
and fixed over four months ago somehow rears it's head as a "My god,
Linux has a bug!" and gets regurgitated all over the place.
I don't think that's what he was saying at all. I think he was rearing
it as "My god, if you don't read such things (as I do not) and are not
aware of it, you may be vulnerable and may wish to update at least this
portion of your Linux, just in case y'all didn't know it." I really
don't remember *ever* hearing Lan naysaying Linux. My god, Gus has a
bug! (I won't say where.)
Perhaps I am unduly picking on Lan as he is just the messenger, but he
had a choice of what message to deliver. The message was the article on
PC World offered without comment. And it was the article on PC World
that was alarmist.
And yes, I have many bugs :o
Gus
PS. Ford Pinto's may explode when crashed!
Sarcasm duly noted. Nevertheless, if there is anyone out there who even
still has a Pinto and doesn't know about this flaw, then it truly is a
good thing that you are warning them about it. Thank you for your
*much* belated warning.
I, for one, am glad that Lan presented this. I did not know about it.
And I still run FC4. I'm pretty sure I don't have the update since my
yum stopped working in FC4. Anyway, I'm not currently at risk since I
have no wireless devices (except my cell phone and my infrared remotes).
And I'm surprised that anyone would still be running FC4. According to
the Fedora Legacy project <http://fedoralegacy.org/>, the whole thing
has been shut down.
Your yum updates stopped working and you didn't even bother to find out why?
Gus
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
