:: Re: [DNG] Critical CVE?
Top Page
Delete this message
Reply to this message
Author: the pterodactyl
Date:  
To: dng
Subject: Re: [DNG] Critical CVE?
On Thu, Sep 26, 2024 at 12:24:11PM +0200, Martin Steigerwald wrote:
> Hi!
>
> the pterodactyl - 26.09.24, 10:26:40 CEST:
> > Howdy Devuaners,
> >
> > Can someone "in the know" please tell us what this is about and whether
> > we all should start a re-install movie en masse? […]
>
> Thanks for the notice in advance.
>
> I do not see anything on oss-security mailing list yet. Especially nothing
> actionable. Being embargoed could be a reason for that.
>
> But in what you quoted from a slashdot source you did not provide a link
> to "no working fix is still available".
>
> So how do you come to conclusion that a re-install will help?


If the problem is in the CUPS browserd (which is enabled at install time),
*and* the broswerd does some magic to the router fw that opens a port,
a reinstall without the broswerd enabled might be a workaround.

I'm no networking genius, but I've read articles many moons ago about
the ability to open ports on an internet-facing router using some service
that the articles conclude is unwise. I think the protocol starts with a
lower-case 'm' but I don't recall, and these days I'm more of a user
than a technician. My beard is long and grey, and I am old and tired and hazy.
Been using Linux since 0.93 (or 0.91?) when we had to compile everything
ourselves, and the only way to begin was to use a Slackware boot floppy
downloaded over 9600 baud. Before RedHat. Way before Debian.

And I have nothing of real value on my boxen, they're backed-up, and if I
have to do custom re-install movies as a mitigation, so be it. Thankfully,
Devuan makes that easy.

Also, if I reinstalled offline, I could also go to the trouble of
installing intrusion countermeasures (before I go live on the net) to
prevent any executables from being trojaned in the event an attacker
gaining a root shell, while we wait for a published CVE. See also,
`tripwire' and friends. They're a pain, but they work 100% against
this kind of attack.

I proceed based on the old SELinux joke:

Q: How secure is the root account on a Unix box?
A: Not very.

> I wait for independent confirmation and something actionable.
>
> And otherwise install updates timely. Maybe with that I will have a fix
> once the issue, if there truly is any, is made public.
>
> With security issues it is important to stay clear-headed. And prepare to
> act when there is something actionable instead of doing something random
> in the sheer hope it may help.


Couldn't agree more. Ty.

Kind regards,

--
"It not question of whether I'm paranoid, Scully, its a question of
whether I'm paranoid *enough*." -- Fox Mulder, "The X-Files"