Hi,
When can we get stable patch for stable kernel 2.4.34?
Regards,
y.
i don't. for now there's no bug, there's only a claim of it (actually two if you count the supposed remote one as well, one wonders why it hasn't been announced with the same fanfare, it's surely a bigger thing than a local one). this company hasn't put anything tangible on the table therefore there's nothing we can do. furthermore, it's a bit suspicious that they intend to make a living out of this bug for another few months yet they disclosed the supposedly buggy function (which isn't complex and therefore easy to see if something's wrong in it), looks like the left hand doesn't know what the right one's doing. it's also funny that they think that grsec "should prevent any form of code execution and privilege escalation" whereas none of us has ever made that claim (quite the contrary in fact, we give certain guarantees only for certain classes of remote bugs, on localhost all bets are off, there's no system on the market today that could claim guarantees there). and if we accept their claim about grsec's goals, then wouldn't the very fact that one can run an exploit (against whatever bug) at all be *the* vulnerability itself?rs wrote:I think it would be a good idea to wait for the fix for expand_stack() critical bug:
http://www.digitalarmaments.com/pre2007-00018659.html
Don't you think so?
where did you see that 2.4.34 (or any particular grsec/pax version for that matter) was affected?I mean, grsec for 2.4.34 should have the fix for pax code (IMHO).
sorry, but it just doesn't scale. you wouldn't expect us to do the same every time someone makes a similar announcement (and given the lack of quality of bugtraq, i can imagine that a cron job would suffice). so the best response is to simply not start this claim-counterclaim cycle at all. people who are genuinely concerned about bugs in grsec/pax can look for them themselves, everyone else will have (and already must have had) to trust the code anyway.rs wrote:Perhaps an official statement, in mailing-lists, as well as grsec/pax webpages, would help.