-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Oct 10, 2005 at 11:22:38AM -0700, John Dell wrote:
> Since you have a history with YDL, you may (or may not) appreciate that
> CentOS uses yum as the default updater (not up2date).
I do very much appreciate that fact. One of my friends Stephen Edie,
former roomate/coworker and probably one of my best friends in the world,
wrote Yup! In fact I also have hacked on yup and yum. And so has my
friend Bryan Stillwell. Yup was not fun to maintain that we gave it to
Bryan when he first got hired at TSS. >:) That was back when every few
lines was the same string hardcoded. I guess a good search and replace
would've fixed it. Yum still has a lot of the residual hilarity in the
source from yup, and many good features as well.
> Regarding your question, I mean (as you say) that I can access the
> repository to get security updates.
I don't see that as a value addition. It was very tedius digging
through their site and going. Ah... hrm well oh no I typed in the wrong
login.. Ok now I am not logged in as AS but WS. Hrm... no they don't
have it for ia64 yet. Great... ok well I'll build it from the SRPM.
Hrm the SRPM doesn't build. In fact that's almost always the case with
RH. I wonder if they intentionally ship different SRPMS than they built
the distro on just to fuck with people. Heheh... ah well. It's all
good. In the end I don't care who uses what distro or even what OS. If
you like to run Plan9 cool. :-) All I'm saying is if at all possible I
hope to never work for an RH shop again. There must be some
corporations based on Debian... right? </wishful thinking>
> Regarding Debian security, FWIW, there was a recent LWN article the
> broke down response time to security issues by major distro's. The
> editors were surprised at how Debian had slipped on response time.
You don't have to tell me. ;) I sent a local root exploit for the osh
package to the debian maintainer. Many moons later that they updated it.
At some point I got bored and checked the latest patched version...
posted another local root exploit. The worst time from disclosure to
update I've ever experienced is Sun. It too them like 6 months to fix
this Cobalt Linux bug I found!
- --8<----(snip from Debian changelog)----
osh (1.7-14) unstable; urgency=high
* urgency set to high because this version fixes a buffer overflow
that causes unauthorized privilege escalation (thanks to Charles Stevenson
<[EMAIL PROTECTED]> for the bug report)
* handlers.c: use malloc() to avoid buffer overflow in writeable()
-- Oohara Yuuma <[EMAIL PROTECTED]> Wed, 17 Aug 2005 02:29:03 +0900
osh (1.7-13) unstable; urgency=high
* urgency set to high because this version fixes a buffer overflow
that causes unauthorized privilege escalation (thanks to Charles Stevenson
<[EMAIL PROTECTED]> for the bug report)
* main.c: s/strcpy/strncpy/ and s/strcat/strncat/ to avoid a buffer overflow
-- Oohara Yuuma <[EMAIL PROTECTED]> Sun, 6 Feb 2005 13:36:02 +0900
- ---8<-------------
Proof-of-concept code here:
http://www.milw0rm.com/id.php?id=788
http://www.milw0rm.com/id.php?id=1154
To his credit the maintainer has documented that this is a known issue
and I really don't think anyone uses the package anyways.
"The osh web page (http://www.engarde.com/~mcn/osh.html) says:
9/21/99
BEWARE: There are vulnerabilities within Osh. If you're using Osh as it was
intended (to restrict trusted insiders to the commands they need access to,
as well as auditing), then you'll be fine. If you intend on fielding this to
users who are untrustworthy, or who may be trying to gain additional access,
you should NOT. There simply has been too little interest in Osh to warrant
fixing these problems. If it's important to you that these get fixed, send me
a patch!"
I've also written clamav exploits and inn2 exploits and so on and so
forth. Linux Capabilities have been available since 2.2.13 and I really
haven't yet read an advisory about someone finding a way around them.
I've given people root on a box and watched them flounder around unable
to do anything to the system. Chattr +i everything you don't want
changed. Remove CAP_SYS_IMMUTABLE etc... done... game over. We used it
during a capture the flag wargames and I mentioned it in the whitepaper
(http://roothack.org/whitepapers/showarticle.php?id=12)
What you have to realise is that Debian is not run by people who are
paid to maintain you with rapid security updates. It's run by a
community of users who are more focused on stability. My friend Tony
has had his servers in non-stop operation for 4 years running Debian.
If he'd tried to seamlessly upgrade from RH it would have required much
downtime. Especially from rpm version 3.x to rpm version 4. And I
can't remember offhand the other frustrations.
So, but that's not why I used Debian. I use Debian because of the
amount of packages available on every architecure conceivable. RH runs
on very few arches natively. I run Debian because of apt-get and the
Debian policy. I run Debian because I know how to build my own Debian
packages. In the end the security of a system comes down to the
administrator running it, not the operating system or software packages
as I believe has been demonstrated in at least a few CTF games.
peace,
core
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDTTZDGAuLrxOyeJMRArUsAKDrJg1K/pj+N6u17uID0t7/hiXW6wCgjiL5
X/tFcpmLoOHJYc8TJYtxpwM=
=QU8V
-----END PGP SIGNATURE-----
_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug
