[SOLVED] Any guy able to exploit a Wordpress, Joomla, Drupal from a Slackware Server can get easily root access. How do you comment, Mr. Volkerding?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Like anything the patch will come soon enough, but for now, anyone can do this themselves. You can wait for Patrick to add the patch officially, or you can add it yourself and not have to wait. Of course common sense should tell you, you should do it yourself.
Yes, as I said, I've already upgraded manually This has prompted me to look into grsec though, and I'm working on a script to pull the latest kernel with grsec and build it. Unfortunately that means using a fairly new kernel, so it probably won't work for everyone, but it seems fine so far on my ThinkPad X200.
I generally give people the benefit of the doubt when they're from a different culture, speaking in a language that isn't their native tongue.
My wife and her family is from a different country than I. We both live in another country than where we grew up. I have lived and worked in still other countries. Mr Vader has a much better command of Engish than I have/had of any other language but the first thing I did in any other language/culture was learn how to be polite. My apologies to others on this thread for going off topic.
Slackware's strength is clearly not its security patching practices.
Sentences like "you can patch the vuln yourself" are only a cover for the fact that the distribution does not get good support from the distributor. I don't say this for this vulnerability, I say it because we have had many timespans in which security fixes were halted without prior warning.
I can go Real Man TM and do the patching myself, for months if necessary, but that is just like having a gardening accident, cutting yourself in the leg, going Real Man TM, applying a bandage on the wound and continue working. You can do it, but solving the problem like a Rel Man TM is not the ideal you should strive for. The ideal you should strive for is having no problem to solve.
I can fix my own leg but I acknowledge that doing so is not a win. And I am certainly not looking down on people who protests because the problem exists.
Slackware's strength is clearly not its security patching practices.
Sentences like "you can patch the vuln yourself" are only a cover for the fact that the distribution does not get good support from the distributor. I don't say this for this vulnerability, I say it because we have had many timespans in which security fixes were halted without prior warning.
I can go Real Man TM and do the patching myself, for months if necessary, but that is just like having a gardening accident, cutting yourself in the leg, going Real Man TM, applying a bandage on the wound and continue working. You can do it, but solving the problem like a Rel Man TM is not the ideal you should strive for. The ideal you should strive for is having no problem to solve.
I can fix my own leg but I acknowledge that doing so is not a win. And I am certainly not looking down on people who protests because the problem exists.
Well, nearly all distribution will use a month or so to verify any patches before inflicting them on users. I don't see Slackware as being any different.
If you want patches faster than that, you are free to do them yourself.
I am ok with the distributor taking time to check the patches and do as much quality assesment as needed. That is not the problem.
How do you know? Pat could be doing a ton of testing for all affected Slackware versions (back to 12.1, if I remember right) to see if patched kernels will cause any issues. Considering he usually releases patches across all versions at the same time, this is plausible. It is possible that he might even release updates for EOLed Slackware versions (though, I wouldn't expect this, since they are EOLed). Upgrading kernels on a stable machine and trying to guarantee that stability to the end-users isn't always the easiest thing to do, and it doesn't happen very often. It's only happened 6 times in the last 15 Slackware versions (since 9.0 released in 2003).
Or, as 55020 mentioned, he may be celebrating his birthday and might've not been online for some time. This is one of the possibilities when you run a distro that is solely managed by one person (although, he does have some great people by his side to help get things prepped). If that one person is off the grid, then you may go some time without any updates. And because he's a one man show, he may decide some vulnerabilities aren't high enough priority to warrant patches (although, I doubt that is the case here).
If you can't deal with that possibility, then maybe Slackware isn't the distro for you.
Don't get me wrong, I do believe this warrants Pat putting out a patch, but we don't know why he's been quiet.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,131
Rep:
Quote:
Originally Posted by bassmadrigal
..... Or, as 55020 mentioned, he may be celebrating his birthday and might've not been online for some time. This is one of the possibilities when you run a distro that is solely managed by one person (although, he does have some great people by his side to help get things prepped). If that one person is off the grid, then you may go some time without any updates. And because he's a one man show, he may decide some vulnerabilities aren't high enough priority to warrant patches (although, I doubt that is the case here).....
....Don't get me wrong, I do believe this warrants Pat putting out a patch, but we don't know why he's been quiet.
He is certanily entitled to a vacation and/or a birthday celebration, but he has been checking in. He was "here" both this last Saturday and Sunday, but not, yet, this week.
My wife and her family is from a different country than I. We both live in another country than where we grew up. I have lived and worked in still other countries. Mr Vader has a much better command of Engish than I have/had of any other language but the first thing I did in any other language/culture was learn how to be polite. My apologies to others on this thread for going off topic.
Mr Vader isn't in another country now are they? They're communicating over the internet. Aside from that, even between English speaking countries there are differences in etiquette. You would like to assume they are at fault, I'd like to give them the benefit at that. We obviously disagree on giving people the benefit of the doubt so I won't debate the point further, but since we're giving anecdotes, let me share one as I leave.
In my native language, a waiter may ask you "What do you want?" while in English the more polite way to say this would be "How may I help you?" (Plus a lot of other filler). In return the customer would reply with "Give me a coffee" while in English they would say "Could I please have a coffee? Thank you" (Side note: I notice Americans in this position use a lot less pleases and thank yous than Australians do, just to emphasise my earlier point. In fact they'll even just reply "mhm" when you say thank you which would be incredibly rude in Australia). One of my friends faced this exact situation when working in a coffee shop when her manager had to pull aside and say "Look, you can't just say to customers "What do you want?". It's rude". My friend was absolutely mortified because that wasn't her intention. She took for granted that the culture would be the same. Now you can look at that situation with an air of moral superiority and say "You should have learned the language and cultural values to a T before any attempt at communication with people from that language and culture", or you could think "Hey, these things happen. At least now you know!".
He is certanily entitled to a vacation and/or a birthday celebration, but he has been checking in. He was "here" both this last Saturday and Sunday, but not, yet, this week.
He hasn't had a post since September. Just because it shows someone as online doesn't mean they were browsing the forum. Maybe it was a page open on his mobile phone and it refreshed when he opened up the browser. It doesn't mean he got on the forum and read through threads. It could've also been his wife or somebody else who got on his computer and maybe LQ is his homepage.
There's several reasons that it could show a last online time without Pat having actually read through the forum, so without any official word from him, it's hard to know what's going on.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,131
Rep:
Quote:
Originally Posted by bassmadrigal
....There's several reasons that it could show a last online time without Pat having actually read through the forum, so without any official word from him, it's hard to know what's going on.
All true.
This is starting to remind me of the "lack of communication" discussion we have had in the past.
"Hey, these things happen. At least now you know!".
Jeeeez..... I never would have understood any of this if you hadn't added your post to this thread. Now if you want to know where I have been, what I did there and/or what people/cultures I may have interacted with (and I'm not just talking about a ordering a coffee in a Melbourne cafe) you can get off of this thread and PM me. that's what PM's are about. I'm just guessing here ...... there might be some cultural nuance(s) involved for some folks that require public airings of perceived or (perhaps) private grievances. As far as I'm concerned the demands and bold text of the OP were over the top and impolite. Don't know where you come from. You or anyone else can PM me and if you are not polite .... maybe ... wait for an answer.
Last edited by justwantin; 10-27-2016 at 09:30 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.