update

Keith Medcalf kmedcalf at dessus.com
Sun Sep 28 04:57:53 UTC 2014


This is another case where a change was made.

If the change had not been made (implement the new kernel) then the vulnerability would not have been introduced.

The more examples people think they find, the more it proves my proposition.  Vulnerabilities can only be introduced or removed through change.  If there is no change, then the vulnerability profile is fixed.

>-----Original Message-----
>From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of
>Valdis.Kletnieks at vt.edu
>Sent: Saturday, 27 September, 2014 22:47
>To: Jay Ashworth
>Cc: NANOG
>Subject: Re: update
>
>On Sat, 27 Sep 2014 21:10:28 -0400, Jay Ashworth said:
>
>> I haven't an example case, but it is theoretically possible.
>
>The sendmail setuid bug, where it failed to check the return code
>because it was *never* possible for setuid from root to non-root to
>fail...
>... until the Linux kernel grew new features.





More information about the NANOG mailing list