Joined: July 2006
||Posted: Mar. 13 2007,16:19
|Quote (roberts @ Mar. 12 2007,18:14)|
|A very vague post. |
But to quote the security announcement:
| To execute this attack a malicious user needs shell access to the victim's machine. The severity of this bug is considered low because local denial-of-service attacks are hard to prevent in general.|
DSL primarily being single user (dsl) live CD or compressed image (frugal) desktop does not a server make.
Being single user, would mean an internal or local DoS would be self inititated? See the quoted security above.
If you decide to install DSL as traditional hard drive installation and make it into a server, then you should take every precaution to protect it.
Servers and traditional hard installations cannot be supported as it is impossible to know the state of your machine and network environment.
Given the low level of this security announcement and the above facts regarding the intended use of DSL, no further action will be taken.
DSL does not necessarily have to be used in single user mode. It is possible to set it up with multi-user logins, and to use it to run a server with several users. This is not a problem with DSL distro. It is a problem for certain Linux kernel versions, affecting all distros. I know it requires shell access - I have seen this exploit in action on a Red Hat server running a 2.4.something kernel version. It does not require the attacker to be in super users group. But if the telnet port is open on a DSL server, then the kernel version becomes important. I am not suggesting any course of action - I was only interested whether it was possible to use this exploit on a DSL 3.0 (whether anyone had done it?)