Theo de Raadt wrote on Tue, Oct 17, 2006 at 05:30:53PM -0600: > I just wanted to say... "Told you so".
After reading the Rapid7 exploit, i just wanted to make sure we are not running this stuff. Of course, none of our servers has Nvidia graphics, but some of the workstations do. And guess what? On about half of those, our Linux admins were running Driver "nvidia" - obviouly, the long-standing unfixed bug didn't really scare them enough. <shudder> Of course, we do not expose Linux workstations directly to the Internet, but have a firewall in between. Yet, this will of course offer little protection against bugs of this class. :-( > Quite amusing. You must be joking!! ;-) I just spent an hour ssh'ing from Linux box to Linux box, editing XF86Configs and restarting X servers. That's hardly fun if the hardware configurations vary such that you must decide for each case whether Driver "nv" or Driver "vesa" is the way to go... > Of course we know this is not the last time this will happen. If only people would realize! I just dropped a note to our internal Linux admin@ mailing list, explaining how i fixed those of our workstations being vulnerable - only to be asked the following question: But we will certainly return to Driver "nvidia" as soon as Nvidia releases a fix for this bug? <shudder again> This question got asked even though i forwarded Linus' quote on blobs there - thanks again to the guy who reminded us by reposting it here. On the other hand, at least one of our Linux admins suggested to call a meeting in order to rethink our strategy for purchasing graphics cards, and in order to consider alternatives to Nvidia - in particular alternatives so well documented that they allow fully functional and truely open kernel level drivers. [...] > I also hope that their embedded^Husers feel the pain, so that one > day they will stand beside us when we ask for open documentation. Thank you kindly for your compassion; i do feel the pain, but little do i enjoy it. :-/ Apart from that, obviously, you are just right.