RE: [stable] Linux 2.6.25.10

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: David@Lang. Hm <david@...>

Cc: Greg KH <greg@...>, <linux-kernel@...>, <stable@...>

Date: Friday, July 18, 2008 - 9:51 pm

David Lang wrote:

quoted text> > That means only people with the time, energy, and expertise to create an
> > exploit will have an exploit. This includes probably 90% of the
> > people who
> > would use the exploit maliciously

quoted text> haven't you ever heard of script-kiddies? they are by far the majority of
> attacks on systems but do not have the expertise to create exploits. it
> takes someone else writing the exploit for them and packaging it to make
> them a threat.

Nobody is saying you should package the exploit. If they need someone else
to package it, they'll still need that. So the question is not if this will
deter script kiddies but whether it will deter the people who package
exploits for them. And from experience, I can tell you that answer is no.
Manys attacks that were believed too difficult for the script kiddies to do
were packaged by people who had the expertise and then used by script
kiddies.

quoted text> in the meantime there's a chance for the fix to get propogated out to a
> released version and for people to upgrade their systems. providing
> exploit code along with the bugfix means that the script kiddies have the
> exploit immediatly, but the fix isn't in any released version (not even a
> -rc or daily -git snapshot)

The alternative is that the fix gets released but not implemented.

quoted text> > It does, however, ensure that the majority of
> > ordinary users won't be able to test their systems to see if they're
> > vulnerable or if the vulnerability is fixed. So at least it
> > will have some
> > effect.

quoted text> how many people run exploits against their production systems to 'see if
> they are fixed', very few, and those only on strict schedules
> with lots of
> adnvance notice and other safeguards.

I can tell you how many run exploits against their production systems when
they don't know the exploits exist -- zero. It takes, at a minimum, the
knowledge that an exploit is possible. In the cases being discussed, even
this was withheld.

Fixes will not be widely deployed on a timely basis unless, at an absolute
minimum, it is known that there is an exploitable bug that has been fixed.

DS

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Linux 2.6.25.10, Greg KH, (Wed Jul 2, 11:58 pm)

Re: Linux 2.6.25.10, Bart Van Assche, (Thu Jul 3, 1:08 pm)

Re: Linux 2.6.25.10, Greg KH, (Thu Jul 3, 1:29 pm)

Re: Linux 2.6.25.10, Bart Van Assche, (Sat Jul 5, 3:54 am)

Re: Linux 2.6.25.10, Greg KH, (Tue Jul 8, 12:12 am)

Re: Linux 2.6.25.10, Greg KH, (Thu Jul 3, 2:57 pm)

Re: Linux 2.6.25.10, , (Thu Jul 3, 3:31 pm)

Re: [stable] Linux 2.6.25.10, Greg KH, (Mon Jul 14, 8:04 am)

RE: [stable] Linux 2.6.25.10, David Schwartz, (Fri Jul 18, 8:47 pm)

RE: [stable] Linux 2.6.25.10, , (Fri Jul 18, 9:01 pm)

RE: [stable] Linux 2.6.25.10, David Schwartz, (Fri Jul 18, 9:51 pm)

Re: [stable] Linux 2.6.25.10, Willy Tarreau, (Sat Jul 19, 1:41 am)

Re: [stable] Linux 2.6.25.10, , (Mon Jul 14, 10:14 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Mon Jul 14, 10:27 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 4:15 pm)

Re: [stable] Linux 2.6.25.10, Bernd Eckenfels, (Sat Jul 19, 9:13 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 7:34 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 11:31 am)

Re: [stable] Linux 2.6.25.10, Theodore Tso, (Tue Jul 15, 2:33 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 4:28 pm)

Re: [stable] Linux 2.6.25.10, Greg KH, (Tue Jul 15, 6:39 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 7:09 pm)

Re: [stable] Linux 2.6.25.10, David Miller, (Tue Jul 15, 6:47 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 7:22 pm)

Re: [stable] Linux 2.6.25.10, David Miller, (Tue Jul 15, 7:35 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 7:08 pm)

Re: [stable] Linux 2.6.25.10, David Miller, (Tue Jul 15, 7:21 pm)

Re: [stable] Linux 2.6.25.10, Tiago Assumpcao, (Tue Jul 15, 7:26 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 7:26 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 12:07 pm)

Re: [stable] Linux 2.6.25.10, , (Tue Jul 15, 3:03 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 3:16 pm)

Re: [stable] Linux 2.6.25.10, Linus Torvalds, (Tue Jul 15, 12:13 pm)

Re: [stable] Linux 2.6.25.10, Aidan Thornton, (Thu Jul 17, 5:08 pm)

Re: Linux 2.6.25.10, Greg KH, (Wed Jul 2, 11:58 pm)


linux-kernel:
Stephen Smalley	Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Jan Engelhardt	intel iommu (Re: -mm merge plans for 2.6.23)
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
git:

linux-activists:
David Fenyes	sigsetmask()? (LINUX)
Stephen Tweedie	Unmounting root (no kidding!) [was: Some Linux problems---solved]
Les Andrzejewski	X386/WD90C31/SUMSUNG SYNC MASTER 4
Doug Evans	Re: Stabilizing Linux
linux-netdev:
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Linus Torvalds	Re: [GIT]: Networking
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Herbert Xu	Re: [PATCH] myr10ge: again fix lro_gen_skb() alignment

RE: [stable] Linux 2.6.25.10

Online users