[174724] in North American Network Operators' Group
RE: update
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sun Sep 28 00:58:08 2014
X-Original-To: nanog@nanog.org
Date: Sat, 27 Sep 2014 22:57:53 -0600
In-Reply-To: <68040.1411879599@turing-police.cc.vt.edu>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
This is another case where a change was made.
If the change had not been made (implement the new kernel) then the vulnera=
bility would not have been introduced.
The more examples people think they find, the more it proves my proposition=
. Vulnerabilities can only be introduced or removed through change. If th=
ere is no change, then the vulnerability profile is fixed.
>-----Original Message-----
>From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of
>Valdis.Kletnieks@vt.edu
>Sent: Saturday, 27 September, 2014 22:47
>To: Jay Ashworth
>Cc: NANOG
>Subject: Re: update
>
>On Sat, 27 Sep 2014 21:10:28 -0400, Jay Ashworth said:
>
>> I haven't an example case, but it is theoretically possible.
>
>The sendmail setuid bug, where it failed to check the return code
>because it was *never* possible for setuid from root to non-root to
>fail...
>... until the Linux kernel grew new features.
