WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] patch for vanilla kernel

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] patch for vanilla kernel
From: "Valter Douglas Lisbôa Jr." <douglas@xxxxxxxxxxxxx>
Date: Tue, 26 Feb 2008 21:05:59 -0300
Delivery-date: Tue, 26 Feb 2008 16:06:46 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.64.0802261502010.25440@localhost>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Trenix - IT Solutions
References: <47C44EEA.60908@xxxxxxxxx> <200802261853.55676.douglas@xxxxxxxxxxxxx> <Pine.LNX.4.64.0802261502010.25440@localhost>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.7
On Tuesday 26 February 2008 20:18:42 Tom Brown wrote:
> On Tue, 26 Feb 2008, Valter Douglas Lisbôa Jr. wrote:
> > On Tuesday 26 February 2008 16:54:42 Tom Brown wrote:
> >> On Tue, 26 Feb 2008, Tom Brown wrote:
> >>> On Tue, 26 Feb 2008, Pasi Kärkkäinen wrote:
> >>>
> >>> I can not agree with that. If you're messing around on your desktop
> >>> machine, ok... you've already got root and you are the only user...
> >>> security patches aren't important in that scenario ... but if you're
> >>> providing real services to real users, and you don't want some script
> >>> kiddie wiping out your box starting from a PHP or SQL injection
> >>> exploit, then you need to be using kernels that aren't 18 months out of
> >>> date.
> >
> > Humm... SQL Injections don't has any issue with kernels and the PHP fails
> > normally runs with low level privileges on system, it could... but it's
> > not likely to hit the kernel without huge efforts.
>
> wtf? 
My english is not so good, what this mean :-)

> There are thousands of crappy php scripts out there that can be 
> tricked into running arbitrary code ... 
> add any one of the priviledge 
> escalation vulnerabilities and the attacker can escalate "arbitrary code"
> into "root access".
Yes, but do it is not so easy. If it be true, we has been gain a tons of 
exploits daily. Find a security fail, is a thing, reveals it to the world is 
other, do a real working exploit useable fo anyone is another yet. :-) 

I wasn't say it cannot be do, and is our obligation actualize the system (of 
course it is), but do a real penetrating in a system from a "bad input handle 
in PHP" to "execute a shell code in the system to be root" is hard, take time 
and require skill. A wanabee invasor is not likely to hack through a system 
without many working tools (read many just on hand exploits). Do it by raw 
force (read this find the fail, create a way to exploit it, make the shell 
code, etc.) is quite rare (for good or for bad). The most security fails 
showed in the Internet lacks the tool of proof part and is simple announced.

Note I not want to say that we can ignore security fails! We need maintain a 
upgraded system in any level. From high level to kernel. What I mean - is 
script kiddies cannot do it so easy.

Coming back to the thread, any security issue in the kernel 2.6.18.x had a 
correction, official or not. Some of them was posted in Xen-Devel list in a 
couple of days back.

Again, the most problems I see/find in stay in 2.6.18.x is the lack of drivers 
for recent hardware and some newer kernel resources. It's a very stable 
branch, the only major bug that throuble me is old AMD+PCChips hardware (no 
way to do it function!)

Finally, I will be very happy if Xen become offcially inside the vanilla 
kernel too.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users