| Click here to go to the original topic View previous topic :: View next topic |
| Author |
Message |
Kt
Joined: 23 Jan 2006
Posts: 3806
|
| Posted: Mon Mar 13, 2006 7:48 am Post subject: Whoops! There goes my root password! |
|
|
http://it.slashdot.org/it/06/03/13/0525254.shtml
Quote: BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
Wow! Open source passwords!
What 'features' will the wonderful developers at Ubuntu think of next! :-D |
|
| Back to top |
|
endersshadow
Joined: 01 Feb 2004
Posts: 10130
Location: Dallas
|
| Posted: Mon Mar 13, 2006 8:20 am Post subject: Re: Whoops! There goes my root password! |
|
|
Helena` wrote: http://it.slashdot.org/it/06/03/13/0525254.shtml
Quote: BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
Wow! Open source passwords!
What 'features' will the wonderful developers at Ubuntu think of next! :-D
It's a hole only in one version of the distribution, and a patch was released literally within hours of the bug being reported. Bugs happen--programmers make mistakes. But, it was patched quickly, which is what OSS is all about. |
|
| Back to top |
|
Kt
Joined: 23 Jan 2006
Posts: 3806
|
| Posted: Mon Mar 13, 2006 8:22 am Post subject: Re: Whoops! There goes my root password! |
|
|
endersshadow wrote: Helena` wrote: http://it.slashdot.org/it/06/03/13/0525254.shtml
Quote: BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
Wow! Open source passwords!
What 'features' will the wonderful developers at Ubuntu think of next! :-D
It's a hole only in one version of the distribution, and a patch was released literally within hours of the bug being reported. Bugs happen--programmers make mistakes. But, it was patched quickly, which is what OSS is all about.
Does the patch delete the log file? |
|
| Back to top |
|
endersshadow
Joined: 01 Feb 2004
Posts: 10130
Location: Dallas
|
| Posted: Mon Mar 13, 2006 8:24 am Post subject: Re: Whoops! There goes my root password! |
|
|
Helena` wrote: Does the patch delete the log file?
It changes the permissions of it to RW only for root, and it also censors the answers to the password question. |
|
| Back to top |
|
Kt
Joined: 23 Jan 2006
Posts: 3806
|
| Posted: Mon Mar 13, 2006 8:28 am Post subject: Re: Whoops! There goes my root password! |
|
|
endersshadow wrote: Helena` wrote: Does the patch delete the log file?
It changes the permissions of it to RW only for root, and it also censors the answers to the password question.
Unless it's encrypted I believe permissions don't completely fix the problem, and supposing that the log file was created using 5.10, and you upgrade to 5.11, you may still have that old log file with your root password sitting around... |
|
| Back to top |
|
Protostar
Joined: 30 Jul 2004
Posts: 9630
Location: Raleigh, North Carolina
|
| Posted: Mon Mar 13, 2006 8:29 am Post subject: Re: Whoops! There goes my root password! |
|
|
Helena` wrote: http://it.slashdot.org/it/06/03/13/0525254.shtml
Quote: BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
Wow! Open source passwords!
What 'features' will the wonderful developers at Ubuntu think of next! :-D
Gentoo is open source as well, so I don't know what you are trying to get at here (other than bashing Ubuntu). |
|
| Back to top |
|
endersshadow
Joined: 01 Feb 2004
Posts: 10130
Location: Dallas
|
| Posted: Mon Mar 13, 2006 8:31 am Post subject: Re: Whoops! There goes my root password! |
|
|
Helena` wrote: Unless it's encrypted I believe permissions don't completely fix the problem, and supposing that the log file was created using 5.10, and you upgrade to 5.11, you may still have that old log file with your root password sitting around...
Well, the upgrade will be from 5.10 to 6.04...the versions in Ubuntu are not sequential, here's how they work: <Years from 2000>:<Month> so 5.10 means it was released in October, 2005. 6.04 will be released in April, 2006. The file is deleted in a dist-upgrade to 6.04, and the problem is not in 6.04 (it's been beta released). Also, it removes the sensitive information from the log file, so encryption isn't necessary. |
|
| Back to top |
|
| Click here to go to the original topic |
