Vulnerabilities in udev
ken at linuxfromscratch.org
Mon Apr 27 12:02:00 PDT 2009
On Mon, Apr 27, 2009 at 12:53:41PM -0500, Mike McCarty wrote:
> > All users who run udev are recommended to upgrade and reboot.
> Why? What I see there shows two vulnerabilities indeed, but perhaps
> not for everyone. ISTM that they require a hostile local user, or at
> least one with a running local agent. I don't see how my LFS machine
> is vulnerable if
> no serial cable is connected
> no network cable is connected
> no PLIP is running or connected
> nobody lives in my house who wants to do my machine mischief
> I am not expert, so I perhaps am not able to see how the vulnerabilities
> listed affect my machine. Could you be more specific about how the
> vulnerabilities are subject to exploit? I'd appreciate that very much.
> IOW, I'd like to see something which would allow us to evaluate what
> our exposure might be.
If, like many of us, you only have a single human user then you can
do a risk assessment and decide you don't need to update. Nobody can
recommend running known-vulnerable software, but for _everything_ on
your LFS box you make your own choices.
If you have multiple human users, it is generally a good idea to
mistrust them when you are in your sysadmin role.
I'm not an expert either, and unlike regular distros we can't
subscribe somebody to the full-disclosure list where at least one
proof-of-concept has apparently circulated.
das eine Mal als Tragödie, das andere Mal als Farce
More information about the lfs-support