attack on open source

Could you please post a link to the article you mentioned?

As you mentioned... 2.6.18 and 2.6.30 are affected.
It's a special problem about the compiling optimizations.

I would not be to afraid until somebody confirms that 2.6.28 is affected.

And Selinux is not the problem... it's just not helping in such a case as it should and normally would.

Greetings

what the report said

;;;; A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.

The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.

The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.

It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.

In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.

Read this
Ten reasons why Linux will oust Windows

The interest stirred up by Windows 7 is too little, too late to halt the rise of Linux, says Jack Wallen

Read more +

"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.

Security training organisation the Sans Institute called the exploit "fascinating". In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.

"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland — and this finally pwns the box."

In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.

selinux what is it and what is for ? in my system the file is empty . I hope this is a good thing. what programs enable selinux? ?

http://en.wikipedia.org/wiki/Security-Enhanced_Linux

I think the kernel team are smart enough to spot this kind of stuff and will release an update if it affects Ubuntu. The kernel is common to all Linux's as the kernel IS Linux, the rest round it is the distribution.

It will be dealt with if it is a cause for worry.

Linux will not oust windows, they are both tools for a job. If windows can do the job better than Linux then intelligently, Windows will be selected. It's only ignoramuses and fanboys who think one OS is better than another. Every OS sucks

http://www.youtube.com/watch?v=d85p7JZXNy8

thank you !!!!

my system says 2.5.28-13 generic for 9.04 updated

For the record.
http://www.h-online.com/security/Root-exploit-for-Linux-kernel-published--/news/113791

Ubuntu is using PolicyKit and as mentioned above SELinux isn't running per default.

http://people.freedesktop.org/~david/PolicyKit-example.png
https://wiki.ubuntu.com/DesktopTeam/Specs/PolicyKitIntegration
http://hal.freedesktop.org/docs/PolicyKit/

https://help.ubuntu.com/community/SELinux
https://wiki.ubuntu.com/SELinux

btw. OT
http://www.h-online.com/open/Canonical-s-Launchpad-open-sourced--/news/113806

Thanks rrnwexec, that solved my question.

actionparsnip,
Thank you for the Youtube's link!
I had fun watching it because that man sang part of my thoughts. And he does it very impressively :-)
Well, only part of my thoughts. From the opposite point of view nowadays you can have much more fun with computers, especially regarding sound and video transducing, due to the power processors, huge memory ammount and high speed intercomputer connection.
But this concerns only the fun I think...

As this man sang I started with 32 then 64 Mb RAM (128 and 256 being luxuries that came after), HD under 1 Gb, don't remember the exact capabilities of the processors but you can imagine (no fan over it, it's slightly warm when you touch it). But I still could do the half of the REAL work that I can do now. It's amazing! Good enough word processor, spreadsheet (to say Lotus 1,2,3), math and plot programs, games some of them pseudo 3D, etc. (the graphics were simple but satisfying). Ofcourse no real sound, no video, web-cams and so on. And no time lags due to loading/reloading programs/images. If the lag was more than fourth of second I assumed something is not going well on the system. Programs larger than 200 000 bytes were assumed "big" and power. Yes, the files were shown in bytes, the Kb shortness came later. The system crashed only for yours unadequate decision or a fatal hardware failure and was easy to find the reason.
After that Windows 3.11 came... And the game of which the man sings began.
May be at that time point should be a branch there in evolving for people who want to stay with the simplicity. Now there's no way for simplicity.

A few times I discussed this with my daughter in the way "Once upon a time...":-) and yes, she has not a clue what am I talking abuot and takes it as a fairytail.

Well, it's a kind of nostalgy here but someone clever should compare the efectiveness of "those" computers an nowadays monsters. I'm a dude but suspect much of the power (and money for ;-)) of contemporary PC's is vanishing for ineffective actions.

You know, they launched Pathfinder to Mars with 8-bit processors in it only...
I'm using links2 to connect with sites like this; guess why do I use it?

I'll show my daughter the clip and she'll have fun too, I'm sure;-)!

But the OS runs the hardware and they all crash and have issues. People install Linux expecting some miracle OS that has zero problems. This is not true. You lose the problems inherent in Windows and gain the issues inherent in Linux. Its not an issue of speed or resources. Its just that every single piece of software and every OS has glitches and problems which makes them suck

Hence every OS sucks. You just gotta choose the one that sucks least for your individual needs.

I personally use a great myriad of OSes

My router runs OpenBSD
My fileserver runs Gentoo and has a phenominal uptime of just gone 3 years
My desktop runs Ubuntu
My work laptop runs XP

You compare nowadays OSes and you are right I think.

I compared "now" with the old times and all I want to say is PCs became hundred of times more powerfull by speed and resources doing at the same time 2 or 3 times more for the usual user, and this more concerns mainly the fun and not the real work.

I'll go now for a couple of beers.
Cheers, actionparsnip!

again, its not about the speed of te hardware, its the OS. Like the song says

"It ain't the hardware man, its that every OS sucks"

beer sounds cool