Gentoo Archives: gentoo-user

From:	Andrew Savchenko <bircoph@g.o>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Re: Ghost cyber threat
Date:	Thu, 29 Jan 2015 15:09:53
Message-Id:	`20150129180941.35580a850cb7de56b4456544@gentoo.org`
In Reply to:	[gentoo-user] Re: Ghost cyber threat by James

1	On Wed, 28 Jan 2015 15:01:26 +0000 (UTC) James wrote:
2	> Philip Webb <purslow <at> ca.inter.net> writes:
3	>
4	> >
5	> > 150127 Joseph wrote:
6	> > > Does anybody know more about this "security flaw
7	> > > in the open-source Linux GNU C Library" :
8	> http://www.theglobeandmail.com/technology/linux-makers-release-patch-to-thwart-new-ghost-cyber-threat/article22662060/?cmpid=rss1
9	> >
10	> > Acc to this, it was patched 2013 & today threatens only long-term systems :
11	> >
12	> >
13	> http://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679
14	> >
15	> > I'm running 2.19-r1 , installed 140802 ; vulnerable are < 2.18 .
16	> >
17	> > Linux systems are at risk only when admins don't keep versions upto-date.
18	>
19	>
20	> Maybe it's time to looking into some of the work the gentoo hardened devs
21	> have going on:
22	>
23	> http://wiki.gentoo.org/wiki/Project:Hardened_musl
24
25	1. Main security is outdated software. E.g. ghost bug affects only
26	very old setups.
27
28	2. There is no proof that musl is more secure than glibc. Smaller
29	codebase tends to have less bugs, of course; but audience of musl
30	is multiple degrees smaller than that of glibc, thus many bugs are
31	just likely to be undiscovered. With more users and features musl
32	will also have critical bugs sooner or later.
33
34	These reminds me of recent openssl issue, after which many switched
35	to polarssl and that one had a critical security bug just recently.
36
37	Best regards,
38	Andrew Savchenko