On Mon, Apr 27, 2009 at 12:53:41PM -0500, Mike McCarty wrote: > > > > All users who run udev are recommended to upgrade and reboot. > > Why? What I see there shows two vulnerabilities indeed, but perhaps > not for everyone. ISTM that they require a hostile local user, or at > least one with a running local agent. I don't see how my LFS machine > is vulnerable if > > no serial cable is connected > no network cable is connected > no PLIP is running or connected > nobody lives in my house who wants to do my machine mischief > > I am not expert, so I perhaps am not able to see how the vulnerabilities > listed affect my machine. Could you be more specific about how the > vulnerabilities are subject to exploit? I'd appreciate that very much. > IOW, I'd like to see something which would allow us to evaluate what > our exposure might be. > > Mike If, like many of us, you only have a single human user then you can do a risk assessment and decide you don't need to update. Nobody can recommend running known-vulnerable software, but for _everything_ on your LFS box you make your own choices.
If you have multiple human users, it is generally a good idea to mistrust them when you are in your sysadmin role. I'm not an expert either, and unlike regular distros we can't subscribe somebody to the full-disclosure list where at least one proof-of-concept has apparently circulated. ĸen -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
