On Tue, 02 Dec 2003, Rick Moen wrote: > Quoting Micah Anderson ([EMAIL PROTECTED]): > > > I want to chime in here also, I too was unhappy that I did not know > > about a local root exploit in 2.4.22 until the Debian machines were > > compromised in this manner. I think a lot of people were in the same > > boat (not to mention the debian folks). I watch kerneltrap, kernel > > traffic, and slashdot fairly regularly for these purposes, and I did > > not see anything of this sort come through, otherwise I would have > > patched immediately (which is what I did last night when I received > > the information). > [...] > > I would like to know how I can be more abreast of future security > > issues like this if Bugtraq (et. al), kerneltrap, kerneltraffic, > > slashdot, etc. are not notified to flag this, and kernel.org does not > > flag this on the website, are we to wait for some high profile exploit > > to happen again before we are alerted to this problem? > > Well, the kernel.org changelogs _are_ public. Feel free to read them on > an ongoing basis, and comment on the security implications of bugfixes > as they're entered into the BitKeeper repository. There are any number > of mailing lists, Web sites, and magazines that would be delighted to > publish your analyses and advisories.
My information was flawed, I was told that the kernel developers knew that this was a security hole back in September. The fact that this was actually, NOT KNOWN, makes my searches in vain make sense. I see know from the detailed analysis that just came out: >The attacker then retrieved the source >code through HTTP for an (at that time) unknown local kernel exploit >and gained root permissions via this exploit. So, hey, my bad. > Or I guess you could pay someone to do likewise. anyways... micah