On Tuesday 26 February 2008 20:18:42 Tom Brown wrote:
> On Tue, 26 Feb 2008, Valter Douglas Lisbôa Jr. wrote:
> > On Tuesday 26 February 2008 16:54:42 Tom Brown wrote:
> >> On Tue, 26 Feb 2008, Tom Brown wrote:
> >>> On Tue, 26 Feb 2008, Pasi Kärkkäinen wrote:
> >>>
> >>> I can not agree with that. If you're messing around on your desktop
> >>> machine, ok... you've already got root and you are the only user...
> >>> security patches aren't important in that scenario ... but if you're
> >>> providing real services to real users, and you don't want some script
> >>> kiddie wiping out your box starting from a PHP or SQL injection
> >>> exploit, then you need to be using kernels that aren't 18 months out of
> >>> date.
> >
> > Humm... SQL Injections don't has any issue with kernels and the PHP fails
> > normally runs with low level privileges on system, it could... but it's
> > not likely to hit the kernel without huge efforts.
>
> wtf?
My english is not so good, what this mean :-)
> There are thousands of crappy php scripts out there that can be
> tricked into running arbitrary code ...
> add any one of the priviledge
> escalation vulnerabilities and the attacker can escalate "arbitrary code"
> into "root access".
Yes, but do it is not so easy. If it be true, we has been gain a tons of
exploits daily. Find a security fail, is a thing, reveals it to the world is
other, do a real working exploit useable fo anyone is another yet. :-)
I wasn't say it cannot be do, and is our obligation actualize the system (of
course it is), but do a real penetrating in a system from a "bad input handle
in PHP" to "execute a shell code in the system to be root" is hard, take time
and require skill. A wanabee invasor is not likely to hack through a system
without many working tools (read many just on hand exploits). Do it by raw
force (read this find the fail, create a way to exploit it, make the shell
code, etc.) is quite rare (for good or for bad). The most security fails
showed in the Internet lacks the tool of proof part and is simple announced.
Note I not want to say that we can ignore security fails! We need maintain a
upgraded system in any level. From high level to kernel. What I mean - is
script kiddies cannot do it so easy.
Coming back to the thread, any security issue in the kernel 2.6.18.x had a
correction, official or not. Some of them was posted in Xen-Devel list in a
couple of days back.
Again, the most problems I see/find in stay in 2.6.18.x is the lack of drivers
for recent hardware and some newer kernel resources. It's a very stable
branch, the only major bug that throuble me is old AMD+PCChips hardware (no
way to do it function!)
Finally, I will be very happy if Xen become offcially inside the vanilla
kernel too.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|