Are these security concerns about Linux Mint valid?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I run Mint on my other machine, but haven't downloaded any ISOs lately, so this specific issue doesn't apply to me directly. But I keep thinking about this Reddit thread.
The main point of contention is this:
Quote:
Exactly. They were most likely breached into over CVE-2015-7547.
Did I already say you shouldn't use Linux Mint?
Well, here I am saying it again: Don't use Linux Mint! In fact, don't use any of these distributions who do not have a dedicated security team. Please, just don't!
This again just shows that maintaining a distribution takes more than just developing your own desktop packages and creating ISOs. It's a matter of providing something people can rely on!
None of these "I make my own Linux distribution because I can." distributions have their own security team.
FYI, the vulnerability was fixed in RedHat, Debian, Ubuntu, Fedora, openSuSE the day it was announced! Simply because these distributions have dedicated security teams!
Go ahead and downvote me into oblivion. But I will continue to repeat what I have said multiple times here: Linux Mint is garbage! Don't use it. It's a FrankenDebian by design!
(One link removed)
Here's where you'll have to excuse my inexperience, but please bear with me.
Do these criticisms make sense? It seems like the user who posted that comment has aggressively decried Mint at least a few times before. This does not make him wrong, but it does make me wonder.
The other thing that I read today said that Mint hides certain security updates by default. Why would they do this?
Should Mint users consider moving away from that distro?
Given that Mint has taken a proactive approach to dealing with the hack and that I've used Mint with no issues off and on for years, I call shenanigans on Reddit.
I mostly agree with frankbell, although I have never used Mint.
This particular event is not a source or binary exploit of the Mint repos - it is an exploit of yet another wordpress based site in which it was hyperlinks that were changed, not code (albeit, a small consolation to those who downloaded from the bogus links).
But those who did download and failed to check the checksums of the ISO must accept their own share of the consequences. They themselves failed to take on the ordinary user responsibility for their end of the transaction, and failed to follow the instructions on the Mint site. This is not M$ or Red Delicious - the user has choices and responsibilities.
As I have said in other threads, the real problem we are all facing is an internet infrastructure designed for a sane world, now operating in one that is anything but sane. There is not and never will be "perfect" software, and there is ultimately no tech solution for malicious human initiated activities - regardless of whether or not there is a dedicated security team!
This is not a failing of Mint (other than use of wordpress), it is just one notably successful exploit for that day, there were very many others we did not read about. And there will be more tomorrow... and the next day... until it all melts down. My optimism is that it may happen quickly.
For their part, Mint has responded quickly and taken the one meaningful action of taking the site offline - which many are not willing to do when faced with similar problems. So they do deserve credit for their response.
It does appear however that they only shut it down after a second hit. Had the intruders any sense they wouldn't have exposed the fact they still had entry after the initial "clean up".
Pretty poor effort from the Mint team really.
Especially as the user forum database was exposed as well.
Well i don't think Mint is 'garbage', and the guy who wrote it sounds like being in some 'anti-Mint' rage.
Quote:
In fact, don't use any of these distributions who do not have a dedicated security team. Please, just don't!
This again just shows that maintaining a distribution takes more than just developing your own desktop packages and creating ISOs. It's a matter of providing something people can rely on!"
I've used Mint with no issues enable or seen away.It does appear however that they only shut it down after a second hit.But those who did download and failed to check the checksums of the ISO must accept their own share of the consequences.
I'm not leaving Mint. The Forums, maybe, but not Mint as my preferred OS of Choice.
"most likely" seems like an opinion.
Lots of Monday Morning Quarterbacking going on in the current situation.
It is likely that the exact weakness may never be disclosed, but a weak db password is certainly alarming, at least to me.
I've used Mint with no issues enable or seen away.It does appear however that they only shut it down after a second hit.But those who did download and failed to check the checksums of the ISO must accept their own share of the consequences.
It appears that the hacker modified the checksums present on the website to match the malicious upload.
I'm not sure what the average user can do in situations like that. Except maybe staying away from diatros that don't encrypt that information in some way.
The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.
and "Who the f**k checks those anyway?" the hacker said.
Why is the interviewer referring to the interviewee as "the hacker"?
And if users don't check md5sums (they usually don't) why bother to change the published values?
Why is the interviewer referring to the interviewee as "the hacker"?
And if users don't check md5sums (they usually don't) why bother to change the published values?
The whole article smacks of click-bait.
I'm sure a lot of talented thought will go into the resolution of this incident. automatically linking the download might not be the best idea -- perhaps the link should go onto a site page protected with HTTPS and then let me select the download option from that point . this simply draws the second point: i really don't know which of my x.509 certs are trustworthy. we really should verify these -- and sign them -- before using them . but that is a story for another time .
Distribution: Mint, Devuan, MX, Ubuntu, ArcoLinux on hardware; vboxes of varying flavors
Posts: 42
Rep:
Linux Mint website hack
I think that, from what I've read, the main issue is with weaknesses in Wordpress. Most likely, as has been mentioned, the Mint dev's will lose Wordpress for their web presence. I've read the same old Debian vitriol on Ars Technica that has been going on ad nauseum since Debian downstream distros ever came to the fore (they also disparage Ubuntu). Anyway, I will still continue to support the Mint distro. Debian was a great concept, and Mint makes it better; same with Ubuntu. Onward.
I used Mint long ago, but I never will again. If they let their website be hacked twice in one day, they need to go to WalMart and buy a clue. The Wordpress hack is just one issue. The lack of a security team is a valid criticism, and I don't think Mint will ever have anyone who knows much about security. In the current environment, security is a basic necessity, and Mint has none. None.
I use multiple platforms. Only ONE runs Mint, but has for over a year. Others are Sparky, VSIDO, CentOS. I used to run pure Debian, and am likely to again. I used to run Ubuntu, but NEVER will again! So the MINT site is not terribly secure, and I am not likely to download a new image before they fix that, but I am not reloading this laptop running Mint until I have a LOT better reason!
I love that quote: "Panic is not your friend." Very true!
I've used WordPress since v. 1.5 for its original purpose: blogging. As a result, I tend to follow WordPress news, though I don't do so slavishly.
I don't know the technical details of what happened with linuxmint.com, but, in defense of that platform, I wish to note that security issues at WordPress sites are almost always related to dodgy plugins, rather than to WP itself. (Note that I said "almost always.")
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.