http://arstechnica.com/security/2013...er-silent-fix/
From the article:
And from the article's comments:
Kinda worrying, IMO. Anyone with a lot of security experience (Steve!) want to chime in here?
From the article:
For more than two years, the Linux operating system has contained a high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines, including servers running in shared Web hosting facilities and other sensitive environments. Surprisingly, most users remain wide open even now, more than a month after maintainers of the open-source OS quietly released an update that patched the gaping hole.
The Linux devs have a policy of saying anything could be a security bug, so they actively downplay known security bugs, not marking them as such in most cases. The user namespace vulnerability from a couple weeks ago (which could likewise get you root) also wasn't reported as a security issue, just passed off as a generic bug fix.
There are many, many examples (just see what the PaX Team or Brad Spengler write about to see many other instances), but for whatever reason the Linux devs don't take security seriously.
There are many, many examples (just see what the PaX Team or Brad Spengler write about to see many other instances), but for whatever reason the Linux devs don't take security seriously.
Comment