Unauthenticated RCE vs. all GNU/Linux systems (+ others) disclosed 3 weeks ago (opens in new tab)

(twitter.com)

35 pointsjesboat1y ago5 comments

5 comments

> Not yet, according to the devs the plan is to disclose to openwall on september 30 and afterwards the full disclosure will happen on october 6

So I understand this means we will need to wait till October 6 for more details. Would it be safe to assume anything being talked about right now is speculation?

siptin1y ago

It's probably something that's unexploitable in practice or rarely enabled by default or both if the developers aren't too bothered about fixing it. Sounds like yet another vulnerability that's more hype than anything serious.

theamk1y ago

Agreed - the only RCE vulnerabilities that would IMHO qualify to "All GNU/Linux systems" would be in Linux kernel networking stack and maybe in openssh.

But the "(+ others)" seems to imply it's not Linux kernel.

And OpenSSH is maintained by OpenBSD folks, who take security extremely seriously. I cannot imagine them taking 3+ weeks and not having security fix, nor arguing whether "Unauthenticated RCE" has a security impact.

So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.

theamk1y ago

Other discussion: https://news.ycombinator.com/item?id=41636796

jesboatOP1y ago

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.

* Full disclosure happening in less than 2 weeks (as agreed with devs).

* Still no working fix.

1 more reply

j / k navigate · click thread line to collapse

5 comments

Prickle1y ago

> Not yet, according to the devs the plan is to disclose to openwall on september 30 and afterwards the full disclosure will happen on october 6

So I understand this means we will need to wait till October 6 for more details. Would it be safe to assume anything being talked about right now is speculation?

siptin1y ago

theamk1y ago

Agreed - the only RCE vulnerabilities that would IMHO qualify to "All GNU/Linux systems" would be in Linux kernel networking stack and maybe in openssh.

But the "(+ others)" seems to imply it's not Linux kernel.

So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.

theamk1y ago

Other discussion: https://news.ycombinator.com/item?id=41636796

jesboatOP1y ago

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.

* Full disclosure happening in less than 2 weeks (as agreed with devs).

* Still no working fix.

1 more reply

j / k navigate · click thread line to collapse