[CentOS] what percent of time are there unpatched exploits against default config?

Thu Dec 29 13:59:17 UTC 2011
Johnny Hughes <johnny at centos.org>

On 12/28/2011 08:57 PM, Craig White wrote:
> On Wed, 2011-12-28 at 07:43 -0600, Johnny Hughes wrote:
> 
>> There have been NO critical kernel updates.  A critical update is one
>> where someone can remotely execute items at the root users.
>>
>> Almost all critical updates are Firefox, Thunderbird, telnetd (does
>> anyone still allow telnet?), or samba (never expose that directly to the
>> internet either :D).  There was one critical issue on CentOS-5.x for exim:
>>
>> http://rhn.redhat.com/errata/RHSA-2010-0970.html
>>
>> All the other issues (non-critical) will require the user to get a "user
>> shell" and then elevate their privileges some way
> ----
> perhaps he is referring to RHSA 2011:1245
> http://lists.centos.org/pipermail/centos/2011-September/118075.html
> 
> which CentOS was very slow in getting the update out the door but as you
> said, it was labeled 'important' and not 'critical'  and of course
> concerned apache and not kernel.
> 


That flaw as absolutely no "access" component.  It allows a DDOS attack,
not provide remote access to a machine.

From the bug:

A flaw was found in the way the Apache HTTP Server handled Range HTTP
headers. A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time via HTTP requests with a
specially-crafted Range header. (CVE-2011-3192)

How is that relevant to allowing access to someone's server.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111229/dc4d7caa/attachment-0005.sig>