Unauthenticated RCE vs. all GNU/Linux systems (+ others) disclosed 3 weeks ago

Unauthenticated RCE vs. all GNU/Linux systems (+ others) disclosed 3 weeks ago(twitter.com)

35 points by jesboat 1 year ago | 5 comments

Prickle 1 year ago |

> Not yet, according to the devs the plan is to disclose to openwall on september 30 and afterwards the full disclosure will happen on october 6

So I understand this means we will need to wait till October 6 for more details. Would it be safe to assume anything being talked about right now is speculation?

siptin 1 year ago |

It's probably something that's unexploitable in practice or rarely enabled by default or both if the developers aren't too bothered about fixing it. Sounds like yet another vulnerability that's more hype than anything serious.

theamk 1 year ago | |

Agreed - the only RCE vulnerabilities that would IMHO qualify to "All GNU/Linux systems" would be in Linux kernel networking stack and maybe in openssh.

But the "(+ others)" seems to imply it's not Linux kernel.

And OpenSSH is maintained by OpenBSD folks, who take security extremely seriously. I cannot imagine them taking 3+ weeks and not having security fix, nor arguing whether "Unauthenticated RCE" has a security impact.

So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.

theamk 1 year ago |

Other discussion: https://news.ycombinator.com/item?id=41636796

jesboat 1 year ago |

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.

* Full disclosure happening in less than 2 weeks (as agreed with devs).

* Still no working fix.