[Secure-testing-team] Some notes on data commits
Moritz Muehlenhoff
jmm at inutil.org
Sun Jan 14 12:13:05 CET 2007
Florian Weimer wrote:
> - "unimportant" are PHP Safe mode bugs, path disclosure (doesn't
> matter on Debian), and issues for which we only ship vulnerable
> source code which isn't compiled into the package.
Plus all the junk reports about security issues, which are non-issues
in practice, like issues only "exploitable" if the code in question
is setuid root, exploits which only work if someone already has
administrative privileges or similar.
> [1] Given the ubiquity of privilege escalation vulnerabilities, it
> doesn't make much sense to differentiate between root and
> non-root.
While that used to be true in the past, Linux has become better and
local privilege escalation in production code isn't a monthly event
these days. (Unless you stuff several megabytes of black-box code
into your kernel, which led to two shiny remote root exploits in the
Ubuntu kernels. (Nvidia and Madwifi))
Cheers,
Moritz
More information about the Secure-testing-team
mailing list