| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On January 24, 2003 03:05 pm, Jim Nutt wrote: |
| 5 |
> On Fri, 24 Jan 2003 14:55:47 -0700 |
| 6 |
> |
| 7 |
> AJ Armstrong <aja@×××××××××××××.com> wrote: |
| 8 |
> > I'm attempting to determine if the recent CVS security advisory should |
| 9 |
> > be rated as 'high' or 'critical'. The bug involves a global |
| 10 |
> > pointer-to-heap that may be forced to free twice. The issue is |
| 11 |
> > whether or not Linux is fundamentally vulnerable to double-free bugs |
| 12 |
> > (which, for example, on BSD might permit execution of arbitrary code). |
| 13 |
> |
| 14 |
> I'm treating it as critical on my servers. I've already updated all of |
| 15 |
> them. In my opinion, it's better to assume the worst and hope for the best |
| 16 |
> when it comes to something like this.. |
| 17 |
|
| 18 |
Thanks, Jim. I agree. However, in this case my question is about an alert I |
| 19 |
will be sending out (which I should have mentioned). I try to be as acurate |
| 20 |
as possible on those - normally, I reserve 'critical' for remote root |
| 21 |
exploits and arbitrary code execution exploits for which an exploit is in the |
| 22 |
wild. I think that this one rates a critical only if there are already |
| 23 |
double-free exploits available for Linux. Hence my question. |
| 24 |
|
| 25 |
Of course, intelligent people may disagree (and please do so vocally....:-)) |
| 26 |
|
| 27 |
- -- |
| 28 |
AJ Armstrong |
| 29 |
aja@×××××××××××××.com |
| 30 |
|
| 31 |
Memes are a hoax. Pass it on. |
| 32 |
-----BEGIN PGP SIGNATURE----- |
| 33 |
Version: GnuPG v1.2.1 (GNU/Linux) |
| 34 |
|
| 35 |
iD8DBQE+Mbp+SgEAcQ45BAYRAotWAKCDJv/4gPBv3tpKQJtc1qE2ntzUpQCbBZhZ |
| 36 |
Ro/oJdqp257AHvYVLb8uNqQ= |
| 37 |
=CJYD |
| 38 |
-----END PGP SIGNATURE----- |
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
gentoo-dev@g.o mailing list |
Archives