I suspect in many cases there’s a simple answer: who takes the *blame* when something goes wrong?
If someone updates a component when “they don’t have to”, and it causes a problem, that person takes the fall: gets
demoted, fired, whatever If a component is not updated, and the system is attacked, the *attacker** is blamed & the
admi ...
I think I can answer that There's nothing technical going on here, it's down to the behaviour of the end users of
enterprise systems
A lot of those people have a hard time understanding that they do actually want bug fixes and an even harder time
understanding that they need to actually do something to install those fixes (I was once aske ...
On Tue, Jan 12, 2021 at 03:23:16PM +0000, John Haxby wrote:
The subject of this thread is a "vulnerability" that requires root to
exploit and was fixed ages ago
If we all agree that CVEs (in the context of the kernel, not userspace)
aren't here to provide technical value but rather a marketing scheme,
maybe we should just start treating them as ...
Gday,
A flaw was found in the Linux kernels implementation of string matching
within a packet A privileged user
(with root or CAP_NET_ADMIN ) when inserting iptables rules could insert a
rule which can panic the system
Likely a user with these permissions could do worse, however it crashes the
system (DOS) and the user is going to have a bad da ...
On Tue, Jan 12, 2021 at 04:58:07PM +1000, Wade Mealing wrote:
I still do not understand why you report issues that are fixed over a
year ago (October 2019) and assign them a CVE like this Who does this
help out? And what about the thousands of other issues that are fixed
in the kernel and not assigned a CVE like this, are they somehow not as
i ...
On Tue, Jan 12, 2021 at 03:23:16PM +0000, John Haxby wrote:
Ok, I can understand that crazyness, and somehow believe it, so I have
not complained when announcements like this come out for issues that
affect RHEL releases as RH is known for abusing^using the CVE system in
this manner But that was not the case here at all, which is why I
asked th ...
On Tue, Jan 12, 2021 at 09:04:49AM +0100, Greg KH wrote:
I think this specific issue is relevant to projects providing container
virtualization with a security boundary, yet letting container root
manage the local iptables rules for the container Wade's posting is a
useful heads-up for such projects I've just forwarded it to
Virtuozzo/OpenVZ ...
On Tue, Jan 12, 2021 at 8:06 AM Sasha Levin <sashal () kernel org> wrote:
I didn't take a look at this specific bug very closely, but on certain
distributions (Ubuntu etc) it has been possible to get CAP_NET_ADMIN
in your own network namespace for years An unprivileged user can
become root with all capabilities in their own user/network na ...