[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] patch for vanilla kernel



On Tuesday 26 February 2008 20:18:42 Tom Brown wrote:
> On Tue, 26 Feb 2008, Valter Douglas LisbÃa Jr. wrote:
> > On Tuesday 26 February 2008 16:54:42 Tom Brown wrote:
> >> On Tue, 26 Feb 2008, Tom Brown wrote:
> >>> On Tue, 26 Feb 2008, Pasi KÃrkkÃinen wrote:
> >>>
> >>> I can not agree with that. If you're messing around on your desktop
> >>> machine, ok... you've already got root and you are the only user...
> >>> security patches aren't important in that scenario ... but if you're
> >>> providing real services to real users, and you don't want some script
> >>> kiddie wiping out your box starting from a PHP or SQL injection
> >>> exploit, then you need to be using kernels that aren't 18 months out of
> >>> date.
> >
> > Humm... SQL Injections don't has any issue with kernels and the PHP fails
> > normally runs with low level privileges on system, it could... but it's
> > not likely to hit the kernel without huge efforts.
>
> wtf? 
My english is not so good, what this mean :-)

> There are thousands of crappy php scripts out there that can be 
> tricked into running arbitrary code ... 
> add any one of the priviledge 
> escalation vulnerabilities and the attacker can escalate "arbitrary code"
> into "root access".
Yes, but do it is not so easy. If it be true, we has been gain a tons of 
exploits daily. Find a security fail, is a thing, reveals it to the world is 
other, do a real working exploit useable fo anyone is another yet. :-) 

I wasn't say it cannot be do, and is our obligation actualize the system (of 
course it is), but do a real penetrating in a system from a "bad input handle 
in PHP" to "execute a shell code in the system to be root" is hard, take time 
and require skill. A wanabee invasor is not likely to hack through a system 
without many working tools (read many just on hand exploits). Do it by raw 
force (read this find the fail, create a way to exploit it, make the shell 
code, etc.) is quite rare (for good or for bad). The most security fails 
showed in the Internet lacks the tool of proof part and is simple announced.

Note I not want to say that we can ignore security fails! We need maintain a 
upgraded system in any level. From high level to kernel. What I mean - is 
script kiddies cannot do it so easy.

Coming back to the thread, any security issue in the kernel 2.6.18.x had a 
correction, official or not. Some of them was posted in Xen-Devel list in a 
couple of days back.

Again, the most problems I see/find in stay in 2.6.18.x is the lack of drivers 
for recent hardware and some newer kernel resources. It's a very stable 
branch, the only major bug that throuble me is old AMD+PCChips hardware (no 
way to do it function!)

Finally, I will be very happy if Xen become offcially inside the vanilla 
kernel too.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.