×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote Bug Found In Ubuntu Kerberos

timothy posted more than 3 years ago | from the owning-up-to-it dept.

Bug 93

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

93 comments

Responsible disclosure (0)

Anonymous Coward | more than 3 years ago | (#35216664)

I installed this update last night.

Re:Responsible disclosure (1, Insightful)

HomelessInLaJolla (1026842) | more than 3 years ago | (#35216710)

Sometimes I have the feeling that kernel level programmers only disclose bugs which they are able to use to discredit a competitive colleague. The remainder of the exploits they quietly continue to use.

Consider: who would know?

Re:Responsible disclosure (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35216944)

That would be a scary thought, except that it is a vulnerability that can be solved just by throwing more highly competitive assholes at the problem...

If there is one thing that the world has in abundance, those are it.

Re:Responsible disclosure (0)

QuantumBeep (748940) | more than 3 years ago | (#35217606)

Good point. Also, sadly, not going to get looked at very closely due to the glennbeckishness of it.

Re:Responsible disclosure (2)

Nerdfest (867930) | more than 3 years ago | (#35216990)

I have a lot of packages installed on a variety of Ubuntu machines, and I'm actually surprised when it goes a few days without updates being available. I'm not saying that this is a bad thing ... I much prefer the instant fix model as opposed to MS and Adobe's batch based patch cycle, especially since I pretty much never need to reboot (on machines where it matters more I use KSplice).

There are very few cases where any problems occur, even with large updates. I'm not quite confident enough to update versions blindly on most machines, but I've done it a couple of times without a problem. It's pretty amazing how well the system works.

Re:Responsible disclosure (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35217318)

Just because a system has an update applied doesn't mean it's actually using it. The updates usually only fix things on disk and won't affect in-memory images of running executables.

Re:Responsible disclosure (4, Informative)

0123456 (636235) | more than 3 years ago | (#35217414)

The updates usually only fix things on disk and won't affect in-memory images of running executables.

post-install script: /sbin/service restart thing-i-just-fixed

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Re:Responsible disclosure (1)

Anonymous Coward | more than 3 years ago | (#35217708)

But X Windows and similar stuff can't be restarted without killing off all the GUI apps. So "Desktop Linux" is similar to Windows in this area. If X locks up or crashes almost everything that's "Desktop Linux" goes with it.

Re:Responsible disclosure (1)

jrumney (197329) | more than 3 years ago | (#35218116)

I'm pretty sure Ubuntu can restart gdm without affecting running X sessions. So you won't get the updates to X until you log out and back in, but at least you will get them then.

Re:Responsible disclosure (1)

0123456 (636235) | more than 3 years ago | (#35218210)

But X Windows and similar stuff can't be restarted without killing off all the GUI apps.

Sure, but:

a) exploits in the X server seem fairly rare.
b) most home users log out every day in any case.

Pretty much anything other than the X server or kernel can be restarted without having to log out. The kernel can be patched while running, but Ubuntu doesn't support it as far as I'm aware.

Re:Responsible disclosure (3, Insightful)

Gadget_Guy (627405) | more than 3 years ago | (#35217798)

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Quite right, because Windows doesn't have a restart option like Linux. You have to manually type it as

net stop "service" && net start "service"

That is so much harder.

Re:Responsible disclosure (1)

0123456 (636235) | more than 3 years ago | (#35218230)

Except every piece of crap program on Windows wants to run its own helper/updater/taskbar crap which can't trivially be restarted.

Not to mention that any time you want to update a system DLL you have to reboot because Windows is so backward that you can't replace them while the OS is running.

Re:Responsible disclosure (1)

Gadget_Guy (627405) | more than 3 years ago | (#35218710)

If you look in Windows Task Manager you can see the processes and services running on your computer. Helpers/updaters/taskbar icons don't appear magically on screen. They have corresponding entries in the task manager lists. If it is a service, then the net start/stop code that I posted will work fine. If it is a process, then you can kill it with the "End Task" option. You might claim that this is not trivial way of restarting, but then neither is having type type "/sbin/service restart thing-i-just-fixed" like the grandparent suggested.

Besides, any decent updater will run a separate process so that it can restart the code that it is updating automatically.

It is true that Windows can't overwrite DLLs that are in use, but I just had to reinstall an old XP system (including uninstalling the pre-installed bloatware then installing apps, drivers and service packs) and it was suprising how few times I had to reboot. Quite often when third party programs say you have to reboot after an install, it is simply not true.

Re:Responsible disclosure (1)

Alex Belits (437) | more than 3 years ago | (#35218754)

If it is a service, then the net start/stop code that I posted will work fine. If it is a process, then you can kill it with the "End Task" option.

Except, of course, it won't be restarted -- it will remain in such state until you reboot or log in again (depending on what triggers the start). And nothing will happen with DLLs.

Re:Responsible disclosure (0)

Anonymous Coward | more than 3 years ago | (#35228560)

I suspect bad applications require a restart, in order to start their System Tray rubbish.

Re:Responsible disclosure (0)

Anonymous Coward | more than 3 years ago | (#35220104)

net stop "service" && net start "service"

That is so much harder.

The command you gave might not be any harder, but it sure won't work.

All the services that depend on "service" will get stopped as well, however you only started the one "service" service, and neglected to give the commands to restart the dependencies, which would in your figurative system now be not running at all.

If you are lucky and haven't closed the prompt window, you will have a listing of 'long' service names that were also stopped.
With that information, you can open the services control panel to find the 'short' names of everything listed and then give the net start commands to restart all of them one by one... But this is starting to sound harder than a single command compared to Linux, isn't it now ;)

Re:Responsible disclosure (1)

Gadget_Guy (627405) | more than 3 years ago | (#35220574)

But this is starting to sound harder than a single command compared to Linux, isn't it now ;)

On the other hand, I don't recall ever having to issue this command after an update. The updates tend to handle it themselves. The ones that require reboots are a lot less common than they used to be.

Re:Responsible disclosure (0)

Anonymous Coward | more than 3 years ago | (#35230688)

The ones that require reboots are a lot less common than they used to be.

They are plentiful enough, thank you, on my Windows 7 installations of varying nature. So they may be less common (I disagree that they are a *lot* less common, purely based on empirical observation) than they used to be, but they are still far, far too common.

And as a different poster pointed out: Your command example is simple enough, but it doesn't actually work, so it's useful in theory, and useless in practice. Which is too bad, but an undeniable reality.

tl;dr: Windows updates suck slightly less than they used to, but they still suck, a lot.

Re:Responsible disclosure (2)

Bobakitoo (1814374) | more than 3 years ago | (#35217416)

This is why the services are restarted after the new package is installed. The only patch that need a reboot are kernel fix.

Re:Responsible disclosure (1)

oliverthered (187439) | more than 3 years ago | (#35221824)

google, or whatever.

ubuntu openssl security flaw, it was a Debian package.

I would have thought they would stop playing around patching that kind of stuff after the first cock-up.

"Security Warning: Serious flaw in Debian Linux OpenSSL Package

by Vivek Gite on May 13, 2008 3 comments

There is a serious security flaw in Debian openssl - the random number generator in Debian's openssl package is predictable. As a result, cryptographic key material may be guessable."

Dear MS trolls: (3, Insightful)

Anonymous Coward | more than 3 years ago | (#35216702)

Notice how this has already been patched before most of the world knew about it?

This is the difference in the GNU/Linux world and your world.

Love,

An ex-MS person that will never go back

Re:Dear MS trolls: (2, Interesting)

Anonymous Coward | more than 3 years ago | (#35216770)

This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

Re:Dear MS trolls: (1)

steeleyeball (1890884) | more than 3 years ago | (#35216974)

All I know is, I installed the updates and never use Kerberos anyway so wasn't at risk to start with.

Re:Dear MS trolls: (-1)

Anonymous Coward | more than 3 years ago | (#35217012)

I never had to patch because I don't use that sad excuse for an operating system.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35217358)

The air would smell better if you pried your head out of Bill Gate's ass

Re:Dear MS trolls: (-1)

Anonymous Coward | more than 3 years ago | (#35217902)

...what?

Have fun with your Apple II, I'm off to get my laptop.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35218930)

+1 for sarcasm! :-)

Re:Dear MS trolls: (1)

Johnny Loves Linux (1147635) | more than 3 years ago | (#35217542)

This difference is caused by the fact that hackers and malware programmers generally love GNU/Linux. Therefor they report the bug first, then disclose it to the public and never exploit it. For Windows bugs they do it exactly the other way around.

This is not the first time I've heard something like it, and I still don't understand it. How can all hackers and malware programmers "generally love" Linux so much that they don't attack Linux sites? Can this really be true? I don't see how, but for the sake of argument, assuming that statement is true, WHY would hackers and malware programmer loooovvvvvvvee Linux so much and not Microsoft that they protect Linux and attack Microsoft? Why?

Re:Dear MS trolls: (0)

bsDaemon (87307) | more than 3 years ago | (#35217752)

Maybe because its easier to feel like Robbin Hood from their mom's basement while they're doing battle against the great Satan, Microsoft. They want their pet OS to have every advantage in making them feel superior to all the infidels who haven't been enlightened. But, do note, there's a difference between those who are capable of discovering and exploiting a memory corruption vulnerability by sifting through decompiled binaries, and dumb-ass kids who copy and paste SQL injections until one works with the ultimate goal of putting goatse on someone's wordpress site. to the latter, its nearly irrelevant what operating system is being run.

Re:Dear MS trolls: (1)

TrancePhreak (576593) | more than 3 years ago | (#35217766)

Because they use Linux and hide behind it. To expose its flaws would be to expose flaws in their defenses. At least, that's one way I've envisioned it.

Windows is still the largest install base as well. For whatever reason OSX goes down quicker at Pwn2Own.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35219568)

They could use OpenBSD, but then their retardation would be cured, and they wouldn't want to do criminal acts anymore.

Re:Dear MS trolls: (1)

IRWolfie- (1148617) | more than 3 years ago | (#35220888)

That doesn't make sense, just because they don't look at the flaws (even for themselves) doesn't mean they don't exist. (I'd imagine windows malware writers use windows for the most part)

Re:Dear MS trolls: (1)

TrancePhreak (576593) | more than 3 years ago | (#35229458)

It's not that they might not be looking for the flaws, just that they don't want others to know about them. Smart malware writers work on a different system, communicating and testing on their target platform. This ensures the malware does not infect the development platform.

Which reminds me of someone who wrote a virus and accidentally infected themselves.

Re:Dear MS trolls: (1)

GameboyRMH (1153867) | more than 3 years ago | (#35220488)

It's a big load of crap. It's exactly like saying armed robbers would report flaws in bank security because they love banks while knocking over gas stations, because they hate gas stations.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35221290)

Except that the bank robbers are also bank security officers.

Re:Dear MS trolls: (1)

GameboyRMH (1153867) | more than 3 years ago | (#35221470)

You think black hats have day jobs? Or that their own boxes aren't secured to the point that practically no flaw poses a serious threat?

Re:Dear MS trolls: (-1)

Anonymous Coward | more than 3 years ago | (#35216794)

Because lunix is open sores, everyone you least want to know about the exploit already does. Enjoy your security blanket linus.

Trolling the trolls: (1)

Anonymous Coward | more than 3 years ago | (#35216878)

Open sores? Can I have my Linux free of physical defects please?

Re:Trolling the trolls: (0)

Anonymous Coward | more than 3 years ago | (#35217032)

No you cannot.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35218424)

Because lunix is open sores, everyone you least want to know about the exploit already does. Enjoy your security blanket linus.

And everyone you most want to know about the exploit, also does. Freedom is great, Charlie Brown.

Re:Dear MS trolls: (3, Insightful)

black3d (1648913) | more than 3 years ago | (#35217008)

It was discovered in (actually, discovered much earlier but acknowledged in) October 2010, thus the difference between the two worlds is that folks who discover Linux bugs tend not to share them with anyone but the vendor, and the folks who discover Windows bugs tells everyone and their dog, before even notifying Microsoft. Interestingly, often the same folks in both cases.

Thus, there's nothing wrong with our world. There's something wrong with the mindset of the white-hats.

Re:Dear MS trolls: (3, Informative)

Anonymous Coward | more than 3 years ago | (#35217546)

Except that here back in reality we have multitudes of real, published news stories about the building animosity between MS and whitehats who try to disclose bugs that MS doesn't care about and/or recognize, or possibly just ignore until they get around to it. There's problem #1 with your argument.

Gosh, denial is a popular place (4, Informative)

SmallFurryCreature (593017) | more than 3 years ago | (#35217616)

Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.

But I guess a MS fanboy truly believes ignorance is bliss.

Re:Gosh, denial is a popular place (2)

TrancePhreak (576593) | more than 3 years ago | (#35217756)

FOSS projects have the same mentality sometimes. I sometimes come across bugs that are marked WNF by the project maintainers.

Re:Gosh, denial is a popular place (0)

Anonymous Coward | more than 3 years ago | (#35218070)

Because no linux fanboy would ever lie about how Microsoft treated them, we just blindly believe anything anyone says if it is bad about Microsoft.

Re:Gosh, denial is a popular place (-1, Troll)

hairyfeet (841228) | more than 3 years ago | (#35219016)

That is because like everyone else in the "gimmie gimmie" generation they think the world revolves around them and the universe should instantly stop and magically cater to them...give me a fricking break!

Do you even think for a second what you are talking about here? You are talking about an OS whose whole selling point is backwards compatibility and third party apps which people have billions of dollars invested in and you think they can just magically whip off a patch to some highly used by third parties subsystem without doing serious testing? WTF?

Yeah, imagine the absolute howling shitfit everyone here would be having if MSFT announced "Hey we fixed a major bug but FYI unless your Quickbooks or Photoshop is this year's version? Yeah you're fucked, because any older than 2010 will never work again. Have a nice day!"

You know why Linux can get away with that shit? it is because nobody is paying for it that's why! Nobody gives a fuck if last years Gimp runs or not, because you just get the new Gimp, whether you like it or not.

For the few people will actually spend a dime to have a Linux distro like those on Red Hat? You can damned well be sure there is some serious testing for any patches come flying out. That is why RHEL is what some would call "behind the curve" or as I call it "not running shitty alpha quality code". It is no different with Macs, as Steve knows they will toss their Mac in 3 years or less therefor he don't give a shit if anything older than 3 years old runs.

Must be nice to be able to not depend on anything, or just buy all new all over again like with Apple, but the rest of us have serious time and money invested in our programs and would like them to work, thank you VERY much! You can keep your Linux ways to yourself, the 90%+ of the population are quite happy where we are, where our apps still run when we upgrade.

Re:Gosh, denial is a popular place (4, Insightful)

unapersson (38207) | more than 3 years ago | (#35219190)

Does your rant have any basis in reality?

I'm not used Mac OSX for any significant length of time, but have been using Windows and Linux for years. Plenty of Windows software breaks on updates and/or becomes abandonware when the vendor goes out of business or stops making drivers for the older hardware on newer versions. One of the reasons I shifted my home PC to Linux was to escape all that nonsense of stuff you'd bought just suddenly stopping working on upgrade. Or degrading over time unless you do a complete re-install. I've always found Linux with it's updates a breath of fresh air compared to the hassles of keeping Windows up and running. My hardware and peripherals keeps working through many OS updates, user facing software is updated frequently. I assure you that Linux users would definitely be upset if user facing programs suddenly stopped working on update, so that seems a bizarre distinction to make.

And billions of dollars of software does run on Linux, I know we've got millions of dollars worth of software running on Linux just where I'm working. And there is that choice between running the latest and greatest, for stable but behind the curve which strong support from vendors.

Microsoft tends to tie its wagons together, despite having separate server and consumer versions.

Re:Gosh, denial is a popular place (0)

Anonymous Coward | more than 3 years ago | (#35219798)

You've obviously had the enormous good fortune to be running a computer that wasn't fucked by the Pulse Audio shitfest, or the wi-fi drivers happily breaking on every update. Luckily, I'm the same - my computer's worked through various updates. A good friend of mine - a much better programmer and admin than I'll ever be - regularly curses as Ubuntu pushes out updates that break his computer. Normally wi-fi or the audio subsystem, but it's been graphics before or just straight stability.

Note: I am well aware Ubuntu is not the only Linux. He runs Ubuntu. I swapped to Ubuntu when I ran out of the time to dick around with Arch and Gentoo which are actually my favourites.

Anecdotal evidence stands against anecdotal evidence, while in the real world businesses are stuck on Windows whether they like it or not - and in reality most of them *don't give a shit*.

Re:Gosh, denial is a popular place (1)

GameboyRMH (1153867) | more than 3 years ago | (#35220538)

Ubuntu contains bleeding-edge software. It's the Fedora of Debian-based distros. If you don't want updates to break things, run Debian Stable.

Re:Gosh, denial is a popular place (1)

hairyfeet (841228) | more than 3 years ago | (#35226478)

First of all, let me make this clear: nobody cares about the hardware because unless it is a multi-thousand dollar piece of equipment like a laser cutter it just gets shitcanned after 3 years anyway, same as nearly noone buys Windows retail they get it with a new box, next!

Second, again another bullshit logical fallacy Linux guys continue to pull, so please pay attention: WE ARE TALKING ABOUT THE DESKTOP: not the God damned server! Jesus, why is it Linux guys gotta bring in server into a totally unrelated conversation? Is it because they know it is the only place where it actually functions (and that is due to crazy hoop jumping by server hardware and software vendors to keep up with Linus twiddling with shit). It is like saying "I have a toaster!" when we are talking about truck design. I mean seriously WTF?

Now back to the subject at hand which is THE DESKTOP, and not cell phones, servers, embedded, or your toaster, the simple fact is that I have no trouble running decade old software on the latest and greatest. After installing Win 7 x64 for a ton of clients I ran into ONE app (a PITA version of QuickBooks) that refused to run, installed XP Mode and Tada! It "just works". Can you do that with even a 2 year old app? With Linux if the vendor doesn't jump through the hoops because Linus like twiddling with kernel guts you are well and truly fucked end of story.

To me Linux is a perfect example of why collaboration over the Internet just doesn't work, and this has NOTHING to do with FOSS, because from what I understand it isn't that way in BSD which is FOSS, nor is it this way in Solaris, where in both an app written years ago still "just works" and new apps will still run on the old.

With Linux instead of a cohesive vision and solid plans you have 50 million reinventing the wheel, 50 million little fiefdoms with bad attitudes and BOFH, and 50 million guys that don't care if they fuck everyone else up as long as THEIR itch is scratched, see Linus and his kernel twiddling as an example. Hell the man even says as a boast that Linus has NEVER been designed, it grows like a virus [kerneltrap.org]. Right, good plan there Linus, don't design squat just scratch your itches and let it grow like a fungus LOL!

So go ahead and waste modpoints while burying your collective heads in the sand, go ahead and call me names like shill and astroturfer, all for daring to point out your emperor is naked as a jay bird, it won't make 1+1=3 nor will it change reality. Reality is there is a damned good reason why Linux is at 1% and stagnant and it isn't a "conspiracy" and it isn't that people haven't tried, as Walmart and Best Buy and ASUS have all done. Nope it is because Linux is currently a fucking mess and anyone who dares to ask it be fixed is attacked by the mass of koolaid drinkers and zealots that treat it as a religion.

Constant driver breakage, the total mess that is audio with Pulse and ALSA and "update foo broke my" which leaves the user with a labyrinth of forums to navigate that if they are VERY lucky will give them some mess of CLI that A.-They are supposed to be able to understand well enough to "tweak" and B.-Be able to apply with making a single mistake for risk of boning the machine. And this isn't even bringing up my point that God help you if you base anything mission critical ON THE DESKTOP because it is just a mess.

So don't blame me that your OS has had FIFTEEN YEARS and gone exactly nowhere on the desktop. The only places it has gained is where a corp has been willing to either jump through the hoops (like in server, where Windows CALs make jumping through the hoops worthwhile) or in Embedded where they can just "TiVo trick" and only have to support a single device. But on the desktop it is frankly a mess and just isn't getting better, if anything its getting worse. Hell look at what EVERY Linux users trots out when someone says "Linux is too much of a PITA"? UBUNTU! Yes lets take the noob and stick him on an OS so bleeding edge the CD has stigmata, yeah, that's the ticket!

Re:Gosh, denial is a popular place (0)

Anonymous Coward | more than 3 years ago | (#35219418)

First of all, there are countless more times when bugs privately disclosed to MS do get fixed, but there are always cocsuckers like you who make demands that MS blow them and do things according to their own timetable, fuck them over by making a public discloser anyway, then tell all their friends how badly MS sucks because things didn't go their way.

And for the record, people don't defend Microsoft because they are a fan, they simply get sick and fucking tired of partisan Linux zealots like yourself. Get bent.

Re:Gosh, denial is a popular place (0)

Anonymous Coward | more than 3 years ago | (#35219974)

Oooh. Did someone hit a nerve?

Has anyone yet addressed those occasions when Microsoft were made aware of holes without them being publicly disclosed, and only after many months of inaction on MS's behalf they've been made public?

Isn't that what the Linux fanbois are getting at?

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35244864)

Your a sand nigger fuck off... eat shit and die.

Re:Dear MS trolls: (1)

Sam36 (1065410) | more than 3 years ago | (#35217160)

I freaking hate MS. I will build my own OS and/or get fired from work before I would ever touch that pile of crap. Don't even get me started on windows C++ api programming. The concept of a dynamic link library (dll), being able to load and unload libraries as needed to increase performance and/or save ram. Yet the whole system eats rams and gets slower with every reboot. Die.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35217166)

Notice how this has already been patched before most of the world knew about it?

This is the difference in the GNU/Linux world and your world.

Love,

An ex-MS person that will never go back

I hate to do this but your smug answer is being taken seriously: 1. It's not "most of the world" you should be worried about and that statement shouldn't provide any comfort; 2. It was patched quickly after languishing for almost three years.

Re:Dear MS trolls: (1)

0123456 (636235) | more than 3 years ago | (#35217396)

It was patched quickly after languishing for almost three years.

Being patched quickly after only three years seems pretty good compared to the average Windows exploit.

Re:Dear MS trolls: (1)

Sulphur (1548251) | more than 3 years ago | (#35217566)

It was patched quickly after languishing for almost three years.

Being patched quickly after only three years seems pretty good compared to the average Windows exploit.

After 17 days of demonstrations in XP, Egypt.

Re:Dear MS trolls: (1)

MichaelKristopeit331 (1966802) | more than 3 years ago | (#35217394)

why do you cower? what are you afraid of?

you're completely pathetic.

Re:Dear MS trolls: (1)

QuantumBeep (748940) | more than 3 years ago | (#35217618)

OH MY GOD not you again.

Why do I cower? What am I afraid of? When I close my eyes I see your dumb ass asking what I'm cowering about.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35218400)

I was wondering what all that stuff about Kerberos was about. System update told me about this, and I read Slashdot while it was running. But that was yesterday (about 25 hours ago). I don't really use kerberos either. It ran anyway, yesterday.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35218512)

Notice how this has already been patched before most of the world knew about it?

This is the difference in the GNU/Linux world and your world.

Love,

An ex-MS person that will never go back

Candidate assigned on 20110103

These are a month and a half old, just going by report times.

Vendors fix problems before the rest of the world knows about them all the time. That's what generic "security updates" are.

You SAY the GNU/Linux world releases security fixes faster, but the reality is there isn't even REMOTELY the same level of QA effort put into them. Now, if you want to argue that open source projects go through the same level QA processes as commercial software vendors, and do that faster, I'd love to hear your reasoning.

Otherwise, we both know that _technically_ fixing 99% of security problems takes much less than a day. When an open source security fix breaks previously working functionality, you all shrug, and that's not fair to those who really put a lot of QA time & money in.

Re:Dear MS trolls: (2)

smash (1351) | more than 3 years ago | (#35218882)

Notice how the bug is not present in FreeBSD?

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35220098)

Same can be said about many other obscure dead OS too.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35220634)

Maybe not in the heimdal kerberos which is the default kerberos implementation, but there is a patch in the ports tree for the MIT kerberos, which is necessary for things like proper AD support in samba.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35218886)

Id also love to note, that DOS hole is not equal to vulnerability that will allow to elevate rights or take over the system or anything like that.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35219748)

Only on Slashdot would petty trolling like this be modded "Insightful" rather than "Troll".

Yes, yes, we get the point, you stopped buying Windows. Good for you. What do you want, a fucking medal? It's only an OS (a good one in some ways, a bad one in many others) not a way of life. Grow up, you pathetic little prick.

Blah blah blah "MS shill" "astroturfer" blah blah blah I went Linux in 2000 and OSX in 2006 and guess what, I don't fucking care what OS I'm using.

Re:Dear MS trolls: (0)

Anonymous Coward | more than 3 years ago | (#35226032)

The real difference is that nobody gives a fuck about Ubuntu.

An ex-Linux person that now lives in the real world.

Dear LINUX trolls... apk (0)

Anonymous Coward | more than 3 years ago | (#35227000)

KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/15/2011) = 5% (12 of 247 Secunia advisories)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

---

KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/15/2011) = 11% (6 of 57 Secunia advisories)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

---

Let's see:

---

1.) That's TWICE as many bugs still present in Linux' kernel ALONE, vs. Windows 7 in its entirety...

AND

2.) There were 4x++ as many bugs in Windows 7 patched as there were in Linux kernel 2.6 (which is a LOT older than Windows 7).

---

And, you said THIS stuff below? Please... Read above, drink it in & digest it:

"Notice how this has already been patched before most of the world knew about it?" - by Anonymous Coward on Tuesday February 15, @07:55PM (#35216702)

That's how the Linux camp TRIES to "pull the wool over others' eyes" by NOT publicly reporting bugs, fixing them (while they are STILL exploitable) first, and THEN & only then, reporting them... meantime? They are vulnerable.

---

"This is the difference in the GNU/Linux world and your world." - by Anonymous Coward on Tuesday February 15, @07:55PM (#35216702)

Yea, a world of deceit is more like it... especially after you read what I posted as facts/stats above, and below in my P.S.!

( Read 'em & weep / Do the Math... & "argue w/ the #'s" ).

APK

P.S.=> Very recently as well, showing how "secure" Linux REALLY is also, are these too:

---

USB Autorun Attacks Against Linux:

http://linux.slashdot.org/story/11/02/07/1742246/USB-Autorun-Attacks-Against-Linux [slashdot.org]

---

Security Warning Over Web-Based Android Market:

http://mobile.slashdot.org/story/11/02/04/181204/Security-Warning-Over-Web-Based-Android-Market [slashdot.org]

---

Die-hard bug bytes Linux kernel for second time:

http://www.theregister.co.uk/2010/09/15/linux_kernel_regression_bug/ [theregister.co.uk]

---

That last one's a "humdinger", because it was fixed, but proven to be an incomplete one too, 1st round... apk

Linux adds another bug, fails in GERMANY & LSE (0)

Anonymous Coward | more than 3 years ago | (#35283706)

KNOWN Windows 7 security vulnerabilities, IN ITS ENTIRETY Gui shell & all (02/22/2011) = 11% (6 of 57 Secunia advisories)

http://secunia.com/advisories/product/27467/ [secunia.com]

---

KNOWN Linux 2.6 security vulnerabilities, kernel ALONE, & not counting GUI shells ones too (02/22/2011) = 5% (13 of 247 Secunia advisories)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

---

Correcting myself, & Linux added YET ANOTHER known issue vs. the last time I checked 3 days ago, upping it's KERNEL ALONE showing more errors than Windows 7 BY MORE THAN DOUBLE!

(I.E.-> 6 known Windows issues, vs. 13 known Linux issues (which is even more in Linux, considering you are NOT looking @ it's entirety in the kernel alone... add on Gnome, KDE, xfce or other shells bugs, & you would have MORE than that even!))

---

More? Ok - Some more VERY RECENT "Linux FAILS"... coming right up, "hot off the presses":

---

German Foreign Office Going Back To Windows:

http://linux.slashdot.org/story/11/02/22/0244242/German-Foreign-Office-Going-Back-To-Windows [slashdot.org]

---

&/or

---

London Stock Exchange Price Errors 'Emerged At Linux Launch':

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

---

LMAO!

APK

P.S.=> I've been around here for YEARS, watching the "FUD campaign" of the "Pro-*NIX" crew, & their "our stuff is more secure" etc./et al crap... funny, but my post above this one? Shows QUITE otherwise... & people always, Always, ALWAYS come back to Windows.

The only place Linux seems to do OK, is server-land... why? Free/no cost... lol, not much of a "competitive edge" though, when you find out what the Germans did, & their entire gov't. DUMPED Linux! apk

OH MY GOD!!!! (0)

Anonymous Coward | more than 3 years ago | (#35216724)

Ok, my subject line was a bit sarcastic.

Who cares though? Operating Systems often have bugs like this, they've fixed the issue, the end!

But... but... but... (-1)

Anonymous Coward | more than 3 years ago | (#35216728)

remote sploits only hit M$$$$ windoze hurrr nurrrr

Just asking (1)

scdeimos (632778) | more than 3 years ago | (#35216732)

Isn't the krb5 package supplied from upstream? Could this affect other distributions?

Re:Just asking (0)

Anonymous Coward | more than 3 years ago | (#35219022)

Who actually uses kerberos any more? There's certainly no point for an average user to even install kerberos, unless they need to connect to an enterprise or university network that requires it.

ftfa (5, Informative)

Lehk228 (705449) | more than 3 years ago | (#35216778)

Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

certainly not a good thing, but this isn't a remote hole

Re:ftfa (1)

ehntoo (1692256) | more than 3 years ago | (#35217126)

The title may be a wee bit misleading, but I don't see anything other than your post mentioning anything about a "hole".

Re:ftfa (2)

Lehk228 (705449) | more than 3 years ago | (#35217186)

more to clarify for anyone skimming the thread without RTFA that, as of yet anyways, there is no means to compromise a machine with this.

Kerberos issue, Denial of Service, not critical (5, Informative)

seifried (12921) | more than 3 years ago | (#35217098)

This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt [mit.edu]

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt [mit.edu]

int getRandomNumber() (-1)

Anonymous Coward | more than 3 years ago | (#35217306)

{
    return 4; // chosen by fair dice roll.
              // guaranteed to be random.
}

Update Manager has it (1)

grikdog (697841) | more than 3 years ago | (#35218608)

Just installed the patches. Nicely, nicely quickstuff.

Re:Update Manager has it (1)

drinkypoo (153816) | more than 3 years ago | (#35221182)

I installed the patches before the article came out. Ubuntu has many failings, but time to first patch ain't one of them. Yes, I'm looking at you, Microsoft.

Slow News day.. (1)

sosaited (1925622) | more than 3 years ago | (#35219138)

The update was pushed to Automatic Updates and I installed it yesterday. Did a Windows fan-boy got just a bit too excited to see a Linux Vulnerability?

Don't worry about it (0)

Anonymous Coward | more than 3 years ago | (#35220742)

I patched your machines for you
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...