Gus Wirth wrote:
Ralph Shumaker wrote:
[snip]
Posting links from Slashdot doesn't have much value. But if you had
done a modicum of research you could have enlightened us. For
example, I saw that article and wondered about how long the
vulnerability existed. So I went to CERT <http://www.cert.org> and
did a search on madwifi. I found that CERT had issued an advisory in
early DECEMBER 2006 (2006-12-08)
<http://www.kb.cert.org/vuls/id/925529>. From there I found that the
madwifi folks had issued the patch ONE DAY BEFORE THE ADVISORY. A
fixed version of the madwifi drivers has been available since that day.
Odd that.
You didn't answer Lan's question. He (nor I) saw your warning. When
did you warn us?
I didn't need to, because I know that as good security conscience
Linux users you keep your systems up to date, subscribe to the CERT
list and periodically review sites like Security Focus
<http://www.securityfocus.com>
But just in case you don't do that, here are some of the latest items
from Security Focus:
* X.Org X11 XC-MISC Extension Integer Overflow Vulnerability
* KDE Konqueror/IOSlave FTP PASV Port-Scanning Vulnerability
* KDE Konqueror KHTML Library Title Cross Site Scripting
Vulnerability
CONSIDER YOURSELF WARNED!
Unless you haven't updated your madwifi drivers since mid-December
2006 and are still at less than version 0.9.2.1 you aren't
vulnerable to this exploit.
The value in this story is that the following happened:
1) Someone found a flaw
2) They quietly contacted the madwifi team
3) The madwifi team fixed the flaw
4) The madwifi team publishes a fix
5) The world is notified that there is a problem and a fix is available
I think this is the way it should be.
Agreed!
The bad part of this story is that somehow something that was found
and fixed over four months ago somehow rears it's head as a "My god,
Linux has a bug!" and gets regurgitated all over the place.
I don't think that's what he was saying at all. I think he was
rearing it as "My god, if you don't read such things (as I do not)
and are not aware of it, you may be vulnerable and may wish to update
at least this portion of your Linux, just in case y'all didn't know
it." I really don't remember *ever* hearing Lan naysaying Linux. My
god, Gus has a bug! (I won't say where.)
Perhaps I am unduly picking on Lan as he is just the messenger, but he
had a choice of what message to deliver. The message was the article
on PC World offered without comment. And it was the article on PC
World that was alarmist.
Perhaps I missed Lan's point, but I thought he was just saying, "Hey, I
know that not everyone reviews security bug notices. And a lot of us
could be vulnerable to this one if we're not up to date. Just a heads
up, guys." At least that was my impression.
And yes, I have many bugs :o
Gus
PS. Ford Pinto's may explode when crashed!
Sarcasm duly noted. Nevertheless, if there is anyone out there who
even still has a Pinto and doesn't know about this flaw, then it
truly is a good thing that you are warning them about it. Thank you
for your *much* belated warning.
I, for one, am glad that Lan presented this. I did not know about
it. And I still run FC4. I'm pretty sure I don't have the update
since my yum stopped working in FC4. Anyway, I'm not currently at
risk since I have no wireless devices (except my cell phone and my
infrared remotes).
And I'm surprised that anyone would still be running FC4. According to
the Fedora Legacy project <http://fedoralegacy.org/>, the whole thing
has been shut down.
Your yum updates stopped working and you didn't even bother to find
out why?
Yes, I did. And that's when this list informed me that FC4 became legacy.
As to why I'm still on FC4, I don't yet have in place all the pieces of
my safety net. Almost there though. (Nor do I yet feel rushed.)
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
