On 12/28/2011 08:57 PM, Craig White wrote:
On Wed, 2011-12-28 at 07:43 -0600, Johnny Hughes wrote:
There have been NO critical kernel updates. A critical update is one where someone can remotely execute items at the root users.
Almost all critical updates are Firefox, Thunderbird, telnetd (does anyone still allow telnet?), or samba (never expose that directly to the internet either :D). There was one critical issue on CentOS-5.x for exim:
http://rhn.redhat.com/errata/RHSA-2010-0970.html
All the other issues (non-critical) will require the user to get a "user shell" and then elevate their privileges some way
perhaps he is referring to RHSA 2011:1245 http://lists.centos.org/pipermail/centos/2011-September/118075.html
which CentOS was very slow in getting the update out the door but as you said, it was labeled 'important' and not 'critical' and of course concerned apache and not kernel.
That flaw as absolutely no "access" component. It allows a DDOS attack, not provide remote access to a machine.
From the bug:
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192)
How is that relevant to allowing access to someone's server.