Mandrake insecurity: Why blame Lindows and MS windows alone?

[Guest ndeb]

I checked that the mandrake-9.0 security update in

http://www.mandrakesecure.net/en/advisorie...=MDKSA-2003:031

does NOT fix the bug. After applying these updates on mandrake-9.0, just run (as non-root user)

ln -s /usr/bin/consolehelper shutdown

in ur home directory and then run

./shutdown now

 

Redhat fixed the same bug 2.5 years ago in http://www.linuxsecurity.com/advisories/re...visory-673.html . Its high time Mandrake fixed a bug properly. Its better not to fix a bug than claim to fix one (without actually fixing it).

[aru]

have you emailed them this excellent findout? :D

 

seems that instead of correcting the bug, they've just limited to remove a soft-link to the problematic program... really sad.

[Michel]

Linux is known for it's security and it is one of the reasons I like it. Hopefully they'll keep paying attention....I hope Linux doesn't becomes a product that needs security fixes every week. Of course you can say that it is better to repair them than someone "bad" discovers them. It is even better there are as much as possible avoided...

[aru]

I hope Linux doesn't becomes a product that needs security fixes every week.

You are wrong at this point. GNU/Linux and it's software have security and non security fixes and improvements, not every week, but every day, that's the good thing about open source :)

[Guest ndeb]

have you emailed them this excellent findout?

Not my findout actually. And I have let them know that their "update" is bogus.

[Ronin]

That is just sooo not good. Especially after releasing a supposed patch. Do they not test these things out before releasing them? Never mind, obviously they dont. Wonder what RedHat would look like on my boxs?

[Guest ndeb]

I have two wishes about RedHat:

1. They bring out an i586/i686 distro instead of the i386 they have now.

2. They start supporting KDE better.

 

But even if they take care of 1, I will start thinking of using redhat.

[theYinYeti]

Mandrake (and most other distros for that matter) will always be more secure than Lindows and Windows, because we use them everyday as non-root, whereas Lindows runs 100%root, and Windows...

 

Yves.

[aru]

...

ln -s /usr/bin/consolehelper shutdown

in ur home directory and then run

./shutdown now

...

 

Could this be avoided removing the file:

/etc/pam.d/shutdown

:?:

 

After reading the conlsolehelper man page I think that that would do the trick.

 

Anyone wants to test it (I cannot right now because my sister is working with my Mdk)

[aru]

OK, Ive managed to convince my syster to let me test a few things, and removing /etc/pam.d/shutdown fixes the error.

 

A simple way to fix ndeb's vulnerability::Security Advisory: usermode

[Guest linuksman]

Linux is known for it's security and it is one of the reasons I like it. Hopefully they'll keep paying attention....I hope Linux doesn't becomes a product that needs security fixes every week. Of course you can say that it is better to repair them than someone "bad" discovers them. It is even better there are as much as possible avoided...

 

Linux = kernel, around which many distributions (OSs) are built.

Mandrake = product built on top of Linux-n.n.n kernel.

 

Corporate entity which owns Mandrake should hope that their product doesn't need security fixes every week.

[Counterspy]

I think you need to realize that in Mandrakesoft's current financial position, they are simply not staffed well enough to fix these issues properly in every case. I have seen many bugs "deprecated" on the cooker mailing list since I discovered it. The other problem is the limited number of hardware configurations they have at their disposal meaning that some bugs are never caught. They rely on a dedicated group of cooker volunteers who perform the functions that would be done in house by larger and better financed software manufacturers.

 

It is also the case that many of Mandrakesoft's issues are reported with in days on other distributions using the same software. Those of us who want to see the company survive are really in the position of putting up with some inconvenient bugs, some of which are tracked and fixed by the people here. A good example from the a.o.l.m newsgroup is a user there who posted his own Mandrake 19-20 kernel fixing the supermount problem. He looked at the Mandrake 19-24 release which is supposed to have resolved these issues and found out that there were still unresolved issues that "may" not affect most users. Look up kernel 19-20 with author Bill Unruh in Google groups advanced for the discussions around this issue.

 

9.1 is make it or break it time for Mandrakesoft and I dearly hope they don't rush it out the door.

 

Counterspy

[Guest ndeb]

OK, Ive managed to convince my syster to let me test a few things, and removing /etc/pam.d/shutdown fixes the error.

Thats excellent. This file /etc/pam.d/shutdown. This proves all the more that mandrake could have fixed it at the first go itself. Has anybody reproduced the same bug in 9.1rc2 or cooker ?

 

It is also the case that many of Mandrakesoft's issues are reported with in days on other distributions using the same software. Those of us who want to see the company survive are really in the position of putting up with some inconvenient bugs, some of which are tracked and fixed by the people here. A good example from the a.o.l.m newsgroup is a user there who posted his own Mandrake 19-20 kernel fixing the supermount problem.

Aren't we doing the same ? We are reporting the bug and proposing the solution and also testing the solution. Only thing that mandrake needs to do is to apply that fix and give us new rpms. Its easy to see that if mandrake does not fix these bugs, they will never make it. There is no escape from bug-fixing.