Over at the bad place, @evilsocket has reported an unauthenticated RCE in all GNU/Linux systems.
-
Over at the bad place, @evilsocket has reported an unauthenticated RCE in all GNU/Linux systems.
Canonical, RedHat and others have confirmed the severity, rating it a 9.9. Despite this, no working fix or CVE has been issued. Simone says the devs responsible are being defensive and dragging their feet.
Are things really as bad as Simone says?
-
@dangoodin @[email protected] Might wanna see this: digitaldarkage.cc/@iaintshootinmis/113189119414905482
-
Jan Wildeboer π·:krulorange:replied to Dan Goodin last edited by
@dangoodin @evilsocket The Security folks seem to be fine with him disclosing the vulnerability in 2 weeks. So I guess they have good reasons for that.
-
Thanks, I hadn't seen. Unfortunately, it doesn't say much that we didn't already know. I'd love if people in the know would jump into either that thread or this one and give us the skinny.
-
@dangoodin I think extreme skepticism is healthy here. It's not just the severity that is sus, it's the claim that "developers" of something universal enough to be in both Linux and BSD are "not taking it seriously." That tends not to be the case, and instead there's a legitimate disagreement about the nature of the vulnerability.
For now, I'm okay waiting for disclosure with patches. -
@dangoodin thereβs no technical details at all, itβs just people panicking without knowing what theyβre panicking about, which InfoSec peeps are very good at and usually ends poorly. Thereβs nothing actionable.
-
Jan Wildeboer π·:krulorange:replied to Kevin Beaumont last edited by [email protected]
@GossiTheDog @dangoodin AKA ego-boosting clickbait. In 2 weeks we supposedly will see the meat, as agreed with the security folks at Red Hat, Canonical etc according to the reporter. When they are fine with the disclosure, I feel quite safe.
-
Risottoreplied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin
*shakes the magic 8 ball*
"you will have a vulnerability reported 3 weeks ago, disclosed 2 weeks from now, that existed for a year in the wild. do you have logs and do threat hunting?"
*returns the magic CISO prediction ball*
-
LStorgaardNOreplied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin yes, but if they start flinching on the disclosure date 1,5 week from now I think weβre allowed a bit of panic.
-
Jan Wildeboer π·:krulorange:replied to LStorgaardNO last edited by
@LStorgaardNO Do you know anything about that being a possibility or are you just happily trying to add fuel to a fire that hasn't even been ignited yet? @GossiTheDog @dangoodin
-
LStorgaardNOreplied to Jan Wildeboer π·:krulorange: last edited by
@jwildeboer @GossiTheDog @dangoodin sorry no, just an attempt too add some humour. I completely agree with you.
-
Over on the hell site, @evilsocket now says this vulnerability will be disclosed in about an hour.