[sf-lug] Monday meeting and Bobbie Sellers' news

Rick Moen rick at linuxmafia.com
Mon Apr 16 00:29:38 PDT 2018


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> As for the SUID thing: That preload ran everything as root anyway,
> including telnetd. Methinks Cloudflare did a good thing in this case.

Ouch, yeah.  Certainly seems so.

> Yep, running a 2.4 kernel, at least for the v2, with an endless list of
> unpatched CVE's, especially _outside_ the kernel. There would be a
> somewhat shorter, but not short enough, list with OpenWrt 10.03, which
> had a slightly less ancient kernel, also not enough, because the version
> number is the release date, now eight years and one month behind us.

Remember:  Whether vulnerabiities in old software matters depends in
part on what features are enabled in the local installation.  E.g., I
routinely skim-read CVEs about kernel bugs and judge them to be
irrelevant to my system because they're flaws in drivers/subsystems not
present on my systems.  While I doubt any 2.4.x kernels are still safe
today, I'll bet many 2.6.x kernels are, particularly ones for which the
local admin has locked down what is enabled (and more so ones compiled
locally to build only what is needed, though few admins bother to do so
any more).




More information about the sf-lug mailing list