Re: [SLE] KDE 3.1.4 ?

• Previous message: Ted: "[SLE] www failure"
• Maybe in reply to: Gerrit Jan Eldering: "[SLE] KDE 3.1.4 ?"
• Next in thread: stefan: "Re: [SLE] KDE 3.1.4 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: suse-linux-e@suse.com
Date: Wed, 24 Sep 2003 10:17:17 +0200

> Notice the date on the file. And I would have had no reason to
> go digging for any KDM issues what so ever since I personally
> think it's a waste of resources..I am quite capable of typing startx.

The date on the file you gave the URL for is exactly the same: 16 Sept.
Regarding the "waste of resources", I may think like you that a graphic
login is one, but i doubt my many users would be as happy without it.

> >- SuSE do not have pam_krb5 installed or configured
>
> Doesn't matter the vulnerability exists in the packages that they
> shipped. So a fix being put out can not be argued about.

I'm sure the fix WILL be put out. But I think that, since SuSE resources
are not infinite, it's far better for us that they concentrate on more
dangerous vulnerabilities than the KDM one. Like the two ones in sendmail
and gkrellmd for which I downloaded the fixed rpm today.

> > - the number of Linux boxes connected to the net that let in
> > users using X11/XDCMP is near zero, due to the inefficiency
> > of the protocol
>
> And how would you know this. Do you statistics to back up your
> assertion? Or would you just be stating an opinion? Do you know every
> Linux user personally and do you do scans of all ip networks? I think
> not. Whether the protocol is inefficient or not..it's in wide enough
> use that the vulnerability was announced..

The protocol is not in widespread use, or better not used at all, due to
the inherent inefficiency it has on high latency networks. And that is not
an opinion, is how things are.
The fact you see very little connection attempts on your box for X port is
a proof enogh: cracker and worm writers go for much more useful targets
than this (ones where you don't have to be a Kerberos authenticated user to
get in as root, for example.. ;-)
And finally, the vulnerability was announced because ALL of them are
announced in open source projects. Not because it was especially important
or urgent to fix.

> I'm not in any kind of situation with KDM or any other GUI login
> manager because they are a waste in my opinion but as I said
> earlier I'm more worried about those who don't work like I do
> or think as I do.

Well, I'm sure anyone who was able to put up a Kerberos authenticated,
network distributed X login system is wise enough to watch after himself.
My point was that it's not a "default configuration", nor a simple one to
set up unless you know very well what you are doing. That is the main
reason I don't think this fix is urgent.

That said, I think your reasoning that we should also worry for other users
out there is perfectly right. I don't want to end up like on Microsoft
OSes... ;-)

> >Then, why do you think this is an _important_ security upgrade?
>
> Security is security..one doesn't pick and choose. If it has the ability
> to be problem then it should be fixed. Period.

Security means assessing the risks and, if you have to make a choice, to
fix the more dangerous ones before the less dangerous ones.
And that's exacly what's happening in this case, in my opinion.

> The picking and choosing of what security issues to address would
> be the cause of the constant messages that I see scrolling in my tail
window...

I beg to differ on this, also... Fixes for all security problems are always
released, even by Microsoft.
It's the poor security culture in many users and "sysadmins" that DO NOT
INSTALL FIXES that's causing so much cruft in our logs.
Worm writers and script kiddies know this, and so they go out trying, since
they'll find something for sure.

> so many so that I might as well not even tail my procmail or fetchmail
> logs because the firewall log just shoves them past to fast.

Try using grep to filter out unwanted messages... works wonders ;-)
I usually log ALL incoming connection with SuSEfirewall. I simply strip
firewall's messages with a "grep -v SuSE-FW" when I'm looking for other
programs' messages

Ciao,
   Roberto

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

• Previous message: Ted: "[SLE] www failure"
• Maybe in reply to: Gerrit Jan Eldering: "[SLE] KDE 3.1.4 ?"
• Next in thread: stefan: "Re: [SLE] KDE 3.1.4 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]