On Wed, 28 Jan 2015 15:01:26 +0000 (UTC) James wrote: > Philip Webb <purslow <at> ca.inter.net> writes: > > > > > 150127 Joseph wrote: > > > Does anybody know more about this "security flaw > > > in the open-source Linux GNU C Library" : > http://www.theglobeandmail.com/technology/linux-makers-release-patch-to-thwart-new-ghost-cyber-threat/article22662060/?cmpid=rss1 > > > > Acc to this, it was patched 2013 & today threatens only long-term systems : > > > > > http://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679 > > > > I'm running 2.19-r1 , installed 140802 ; vulnerable are < 2.18 . > > > > Linux systems are at risk only when admins don't keep versions upto-date. > > > Maybe it's time to looking into some of the work the gentoo hardened devs > have going on: > > http://wiki.gentoo.org/wiki/Project:Hardened_musl
1. Main security is outdated software. E.g. ghost bug affects only very old setups. 2. There is no proof that musl is more secure than glibc. Smaller codebase tends to have less bugs, of course; but audience of musl is multiple degrees smaller than that of glibc, thus many bugs are just likely to be undiscovered. With more users and features musl will also have critical bugs sooner or later. These reminds me of recent openssl issue, after which many switched to polarssl and that one had a critical security bug just recently. Best regards, Andrew Savchenko
pgpvLwbU7JNjE.pgp
Description: PGP signature
