Linux comes with all sorts of interesting features that are fun to try, but after reading stories like this one ZD Net, I don't think I would trust it for front-line duty. The security breach hit the Debian GNU/Linux project rather hard:
One core Debian server has been reinstalled after a compromise and services have been restored. On July 12th the host gluck.debian.org has been compromised using a local root vulnerability in the Linux kernel. The intruder had access to the server using a compromised developer account.
The services affected and temporarily taken down are: cvs, ddtp, lintian, people, popcon, planet, ports and release.
But it was fixed pretty fast, luckily, so the damage seems to have been limited. Here's the advisory for the kernel security flaw issue:
The kernel vulnerability that has been used for this compromise is referenced as CVE-2006-2451. It only exists in the Linux kernel 2.6.13 up to versions before 22.214.171.124, and 2.6.16 before 126.96.36.199. The bug allows a local user to gain root privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.
The current stable release, Debian GNU/Linux 3.1 alias 'sarge', contains Linux 2.6.8 and is thus not affected by this problem. The compromised server ran Linux 188.8.131.52.
If you run Linux 2.6.13 up to versions before 184.108.40.206, or Linux 2.6.16 up to versions before 220.127.116.11, please update your kernel immediately.
If you run Linux, make sure you swap out the kernels above to something newer and less "holey". You may also want to check out OpenBSD or FreeBSD if you no longer want to sleep with one eye open monitoring security advisories (yes, that's a very lame troll, no OS is 100% secure, and so forth).
Other related posts:
FreeBSD 6.2 released
Thunderbird 2.0 beta 1 out - and I like it
Firefox 2.0 and Windows Vista niggles
comments powered by Disqus