[CentOS] what percent of time are there unpatched exploits against default config?
Johnny Hughes
johnny at centos.org
Thu Dec 29 13:59:17 UTC 2011
On 12/28/2011 08:57 PM, Craig White wrote:
> On Wed, 2011-12-28 at 07:43 -0600, Johnny Hughes wrote:
>
>> There have been NO critical kernel updates. A critical update is one
>> where someone can remotely execute items at the root users.
>>
>> Almost all critical updates are Firefox, Thunderbird, telnetd (does
>> anyone still allow telnet?), or samba (never expose that directly to the
>> internet either :D). There was one critical issue on CentOS-5.x for exim:
>>
>> http://rhn.redhat.com/errata/RHSA-2010-0970.html
>>
>> All the other issues (non-critical) will require the user to get a "user
>> shell" and then elevate their privileges some way
> ----
> perhaps he is referring to RHSA 2011:1245
> http://lists.centos.org/pipermail/centos/2011-September/118075.html
>
> which CentOS was very slow in getting the update out the door but as you
> said, it was labeled 'important' and not 'critical' and of course
> concerned apache and not kernel.
>
That flaw as absolutely no "access" component. It allows a DDOS attack,
not provide remote access to a machine.
From the bug:
A flaw was found in the way the Apache HTTP Server handled Range HTTP
headers. A remote attacker could use this flaw to cause httpd to use an
excessive amount of memory and CPU time via HTTP requests with a
specially-crafted Range header. (CVE-2011-3192)
How is that relevant to allowing access to someone's server.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111229/dc4d7caa/attachment.sig>
More information about the CentOS
mailing list