From: | Andrew Savchenko <bircoph@g.o> | ||
---|---|---|---|
To: | gentoo-user@l.g.o | ||
Subject: | Re: [gentoo-user] Re: Ghost cyber threat | ||
Date: | Thu, 29 Jan 2015 15:09:53 | ||
Message-Id: | 20150129180941.35580a850cb7de56b4456544@gentoo.org | ||
In Reply to: | [gentoo-user] Re: Ghost cyber threat by James |
1 | On Wed, 28 Jan 2015 15:01:26 +0000 (UTC) James wrote: |
2 | > Philip Webb <purslow <at> ca.inter.net> writes: |
3 | > |
4 | > > |
5 | > > 150127 Joseph wrote: |
6 | > > > Does anybody know more about this "security flaw |
7 | > > > in the open-source Linux GNU C Library" : |
8 | > http://www.theglobeandmail.com/technology/linux-makers-release-patch-to-thwart-new-ghost-cyber-threat/article22662060/?cmpid=rss1 |
9 | > > |
10 | > > Acc to this, it was patched 2013 & today threatens only long-term systems : |
11 | > > |
12 | > > |
13 | > http://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679 |
14 | > > |
15 | > > I'm running 2.19-r1 , installed 140802 ; vulnerable are < 2.18 . |
16 | > > |
17 | > > Linux systems are at risk only when admins don't keep versions upto-date. |
18 | > |
19 | > |
20 | > Maybe it's time to looking into some of the work the gentoo hardened devs |
21 | > have going on: |
22 | > |
23 | > http://wiki.gentoo.org/wiki/Project:Hardened_musl |
24 | |
25 | 1. Main security is outdated software. E.g. ghost bug affects only |
26 | very old setups. |
27 | |
28 | 2. There is no proof that musl is more secure than glibc. Smaller |
29 | codebase tends to have less bugs, of course; but audience of musl |
30 | is multiple degrees smaller than that of glibc, thus many bugs are |
31 | just likely to be undiscovered. With more users and features musl |
32 | will also have critical bugs sooner or later. |
33 | |
34 | These reminds me of recent openssl issue, after which many switched |
35 | to polarssl and that one had a critical security bug just recently. |
36 | |
37 | Best regards, |
38 | Andrew Savchenko |