Vulnerabilities in udev

Mike McCarty Mike.McCarty at sbcglobal.net
Mon Apr 27 12:37:03 PDT 2009


Bruce Dubbs wrote:

Thanks for your reply.

> Mike McCarty wrote:
> 
>> I am not expert, so I perhaps am not able to see how the vulnerabilities
>> listed affect my machine. Could you be more specific about how the
>> vulnerabilities are subject to exploit? I'd appreciate that very much.
>> IOW, I'd like to see something which would allow us to evaluate what
>> our exposure might be.
> 
> You're right Mike, not all vulnerabilities are equal.  However it is good 
> practice to fix known vulnerabilities.  If, for instance, you decided to run a 

It is also good practice not to replace otherwise working code with
possibly defective code, especially if the possibility of exploit
is small to non existent. I was hoping to get information to enable
me to evaluate my risk to exploit.

> web server or even give yourself the capability to ssh into the system from 
> outside your home and there was a problem with that server software, a local 
> vulnerability could then lead to a root compromise.

Yes, certainly. Neither of those is anything I ever intend to do.
ISTM that the exposure my machine has is nil at present, and I see
no reason to risk running unseasoned changes unless one can demonstrate
actual possibility of exploit. For that reason, I am wary of publishing
blanket recommendations for all users to replace working software
simply because there is a known vulnerability. A vulnerability with
no possibility of exploit is not a liability. Unseasoned code is a
greater risk in that circumstance.

Thanks also for the instructions!

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!



More information about the lfs-support mailing list