Guest ndeb Posted March 13, 2003 Report Share Posted March 13, 2003 I checked that the mandrake-9.0 security update in http://www.mandrakesecure.net/en/advisorie...=MDKSA-2003:031 does NOT fix the bug. After applying these updates on mandrake-9.0, just run (as non-root user) ln -s /usr/bin/consolehelper shutdown in ur home directory and then run ./shutdown now Redhat fixed the same bug 2.5 years ago in http://www.linuxsecurity.com/advisories/re...visory-673.html . Its high time Mandrake fixed a bug properly. Its better not to fix a bug than claim to fix one (without actually fixing it). Quote Link to comment Share on other sites More sharing options...
aru Posted March 13, 2003 Report Share Posted March 13, 2003 have you emailed them this excellent findout? :D seems that instead of correcting the bug, they've just limited to remove a soft-link to the problematic program... really sad. Quote Link to comment Share on other sites More sharing options...
Michel Posted March 13, 2003 Report Share Posted March 13, 2003 Linux is known for it's security and it is one of the reasons I like it. Hopefully they'll keep paying attention....I hope Linux doesn't becomes a product that needs security fixes every week. Of course you can say that it is better to repair them than someone "bad" discovers them. It is even better there are as much as possible avoided... Quote Link to comment Share on other sites More sharing options...
aru Posted March 13, 2003 Report Share Posted March 13, 2003 I hope Linux doesn't becomes a product that needs security fixes every week. You are wrong at this point. GNU/Linux and it's software have security and non security fixes and improvements, not every week, but every day, that's the good thing about open source :) Quote Link to comment Share on other sites More sharing options...
Guest ndeb Posted March 14, 2003 Report Share Posted March 14, 2003 have you emailed them this excellent findout?Not my findout actually. And I have let them know that their "update" is bogus. Quote Link to comment Share on other sites More sharing options...
Ronin Posted March 14, 2003 Report Share Posted March 14, 2003 That is just sooo not good. Especially after releasing a supposed patch. Do they not test these things out before releasing them? Never mind, obviously they dont. Wonder what RedHat would look like on my boxs? Quote Link to comment Share on other sites More sharing options...
Guest ndeb Posted March 14, 2003 Report Share Posted March 14, 2003 I have two wishes about RedHat: 1. They bring out an i586/i686 distro instead of the i386 they have now. 2. They start supporting KDE better. But even if they take care of 1, I will start thinking of using redhat. Quote Link to comment Share on other sites More sharing options...
theYinYeti Posted March 14, 2003 Report Share Posted March 14, 2003 Mandrake (and most other distros for that matter) will always be more secure than Lindows and Windows, because we use them everyday as non-root, whereas Lindows runs 100%root, and Windows... Yves. Quote Link to comment Share on other sites More sharing options...
aru Posted March 14, 2003 Report Share Posted March 14, 2003 ...ln -s /usr/bin/consolehelper shutdown in ur home directory and then run ./shutdown now ... Could this be avoided removing the file: /etc/pam.d/shutdown :?: After reading the conlsolehelper man page I think that that would do the trick. Anyone wants to test it (I cannot right now because my sister is working with my Mdk) Quote Link to comment Share on other sites More sharing options...
aru Posted March 14, 2003 Report Share Posted March 14, 2003 OK, Ive managed to convince my syster to let me test a few things, and removing /etc/pam.d/shutdown fixes the error. A simple way to fix ndeb's vulnerability::Security Advisory: usermode Quote Link to comment Share on other sites More sharing options...
Guest linuksman Posted March 14, 2003 Report Share Posted March 14, 2003 Linux is known for it's security and it is one of the reasons I like it. Hopefully they'll keep paying attention....I hope Linux doesn't becomes a product that needs security fixes every week. Of course you can say that it is better to repair them than someone "bad" discovers them. It is even better there are as much as possible avoided... Linux = kernel, around which many distributions (OSs) are built. Mandrake = product built on top of Linux-n.n.n kernel. Corporate entity which owns Mandrake should hope that their product doesn't need security fixes every week. Quote Link to comment Share on other sites More sharing options...
Counterspy Posted March 14, 2003 Report Share Posted March 14, 2003 I think you need to realize that in Mandrakesoft's current financial position, they are simply not staffed well enough to fix these issues properly in every case. I have seen many bugs "deprecated" on the cooker mailing list since I discovered it. The other problem is the limited number of hardware configurations they have at their disposal meaning that some bugs are never caught. They rely on a dedicated group of cooker volunteers who perform the functions that would be done in house by larger and better financed software manufacturers. It is also the case that many of Mandrakesoft's issues are reported with in days on other distributions using the same software. Those of us who want to see the company survive are really in the position of putting up with some inconvenient bugs, some of which are tracked and fixed by the people here. A good example from the a.o.l.m newsgroup is a user there who posted his own Mandrake 19-20 kernel fixing the supermount problem. He looked at the Mandrake 19-24 release which is supposed to have resolved these issues and found out that there were still unresolved issues that "may" not affect most users. Look up kernel 19-20 with author Bill Unruh in Google groups advanced for the discussions around this issue. 9.1 is make it or break it time for Mandrakesoft and I dearly hope they don't rush it out the door. Counterspy Quote Link to comment Share on other sites More sharing options...
Guest ndeb Posted March 14, 2003 Report Share Posted March 14, 2003 OK, Ive managed to convince my syster to let me test a few things, and removing /etc/pam.d/shutdown fixes the error.Thats excellent. This file /etc/pam.d/shutdown. This proves all the more that mandrake could have fixed it at the first go itself. Has anybody reproduced the same bug in 9.1rc2 or cooker ? It is also the case that many of Mandrakesoft's issues are reported with in days on other distributions using the same software. Those of us who want to see the company survive are really in the position of putting up with some inconvenient bugs, some of which are tracked and fixed by the people here. A good example from the a.o.l.m newsgroup is a user there who posted his own Mandrake 19-20 kernel fixing the supermount problem.Aren't we doing the same ? We are reporting the bug and proposing the solution and also testing the solution. Only thing that mandrake needs to do is to apply that fix and give us new rpms. Its easy to see that if mandrake does not fix these bugs, they will never make it. There is no escape from bug-fixing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.