1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On January 24, 2003 03:05 pm, Jim Nutt wrote: |
5 |
> On Fri, 24 Jan 2003 14:55:47 -0700 |
6 |
> |
7 |
> AJ Armstrong <aja@×××××××××××××.com> wrote: |
8 |
> > I'm attempting to determine if the recent CVS security advisory should |
9 |
> > be rated as 'high' or 'critical'. The bug involves a global |
10 |
> > pointer-to-heap that may be forced to free twice. The issue is |
11 |
> > whether or not Linux is fundamentally vulnerable to double-free bugs |
12 |
> > (which, for example, on BSD might permit execution of arbitrary code). |
13 |
> |
14 |
> I'm treating it as critical on my servers. I've already updated all of |
15 |
> them. In my opinion, it's better to assume the worst and hope for the best |
16 |
> when it comes to something like this.. |
17 |
|
18 |
Thanks, Jim. I agree. However, in this case my question is about an alert I |
19 |
will be sending out (which I should have mentioned). I try to be as acurate |
20 |
as possible on those - normally, I reserve 'critical' for remote root |
21 |
exploits and arbitrary code execution exploits for which an exploit is in the |
22 |
wild. I think that this one rates a critical only if there are already |
23 |
double-free exploits available for Linux. Hence my question. |
24 |
|
25 |
Of course, intelligent people may disagree (and please do so vocally....:-)) |
26 |
|
27 |
- -- |
28 |
AJ Armstrong |
29 |
aja@×××××××××××××.com |
30 |
|
31 |
Memes are a hoax. Pass it on. |
32 |
-----BEGIN PGP SIGNATURE----- |
33 |
Version: GnuPG v1.2.1 (GNU/Linux) |
34 |
|
35 |
iD8DBQE+Mbp+SgEAcQ45BAYRAotWAKCDJv/4gPBv3tpKQJtc1qE2ntzUpQCbBZhZ |
36 |
Ro/oJdqp257AHvYVLb8uNqQ= |
37 |
=CJYD |
38 |
-----END PGP SIGNATURE----- |
39 |
|
40 |
|
41 |
-- |
42 |
gentoo-dev@g.o mailing list |