On 12/28/2011 08:57 PM, Craig White wrote: > On Wed, 2011-12-28 at 07:43 -0600, Johnny Hughes wrote: > >> There have been NO critical kernel updates. A critical update is one >> where someone can remotely execute items at the root users. >> >> Almost all critical updates are Firefox, Thunderbird, telnetd (does >> anyone still allow telnet?), or samba (never expose that directly to the >> internet either :D). There was one critical issue on CentOS-5.x for exim: >> >> http://rhn.redhat.com/errata/RHSA-2010-0970.html >> >> All the other issues (non-critical) will require the user to get a "user >> shell" and then elevate their privileges some way > ---- > perhaps he is referring to RHSA 2011:1245 > http://lists.centos.org/pipermail/centos/2011-September/118075.html > > which CentOS was very slow in getting the update out the door but as you > said, it was labeled 'important' and not 'critical' and of course > concerned apache and not kernel. > That flaw as absolutely no "access" component. It allows a DDOS attack, not provide remote access to a machine. From the bug: A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. (CVE-2011-3192) How is that relevant to allowing access to someone's server. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20111229/dc4d7caa/attachment-0005.sig>