Just one of the reasons, its not the latest or fastest, some accuse it of being downright bloated in Linux world but when it comes to patches, Ubuntu plain simple rules. http://www.ubuntu.com/usn/usn-758-1 Ubuntu is the first on the block with the patch for this critical bug, Debian, SuSe, RH et al haven't done it yet.
I think Suse has released it now. I know for a fact that Fedora (and Red Hat) released it several hours ago. Gentoo is in the process of getting the patch in the stable tree (they may already have). But, yes, Ubuntu deserves props on this one.
Unfortunately you say this for all the security problems... Already exists some distros that use latest package versions and that already cover a lot of these issues...
Lets see if I've got this correct......Ubuntu is the best because after years of running some vulnerability it'll be the first to get the patch I'd be more interested in you telling us what effect this vulnerability has had on Linux users over the years... If one is to use Linux, with its vulnerabilities, and do so over the years, it really make sense to use something not the latest or fastest and downright bloated
Latest doesn't mean secure in any sense, OTOH it could mean a buggy piece of program with stability issues, Ubuntu philosophy gives preference to stability and security over all so they succeed in that. Their goal is not speed or having the latest development of a program. They would rather wait and see. Its up to your choice. The uudev issue has affected all other distros as well, Ubuntu releases patches for all their current and previous in support distros. About distros containing latest package, the uudev issue is farily new and critical, the four major distros have been shown to be affected. They have given no indication about the other small distros which probably could be affected as well but don't feature on their list.
Sure you would. Then you'd be able to post all over the Internet about how dangerous it is to use Linux. But the fact is, there have been NO, ZERO, ZILCH, NADA, reports of any malware that made use of this vulnerability. Which, BTW, you can't say about the eight patches MS released just last week.
Well well well... Why don't you do a search on the "Internet" and see exactly what I post, just maybe you'll find I use Linux and not MS. Odd, but that was my point, Arup wouldn't be able to answer my question with anything other Which in point-who cares if Ubuntu is the first to offer the patch Oh BTW I'm not anti-Ubuntu, I use 8.04 LTS. There's plenty of reasons to use Linux & various Distro's, who's the first to release patches isn't one of them.
I think it's fair to say that the big distros are all relatively equal in terms of the time it takes to get a security patch in the repos. Fedora, Suse, Ubuntu, Gentoo all had this patch by late last night (not sure about Red Hat, but considering they are connected to Fedora, I imagine they got it at about the same time). Ubuntu might have been first by a few hours, but I don't think that is reason to pick one of these distros over the other. Now security patches might be a consideration if one is looking to use one of the "small" unpopular distros.
I don't know about you, but I don't want any vulnerable software on my system. When something has a vulnerability, I want it fixed as quickly as possible while not affecting any other portions of my system. Wanting anything else frankly does not make sense. As for malware affecting the system, I don't think you understood the real negative effects of the vulnerability. It allows regular users to gain super-user access. If I'm in charge of a large corporation with multi-user workstations, I do not want anyone to gain root on my boxes I'm in charge of and potentially cause havoc throughout my system. As for Ubuntu and patching, it was good this time, but I can think of other times (well debian on which ubuntu is based) **cough openssl cough** where they took patching too far. It may not be, but if firefox comes out with a new release that fixes multiple security bug and my distribution does not bring a new version of firefox into the tree for over a week, I get a little disappointed. Security and stability should always be paramount, however some distros like to focus on having the latest version of KDE out before its released before updating openssh or firefox quickly which is frustrating sometimes. Cheers, Alphalutra1
My apologies. I guess I'm a little defenses. It's just that anytime anyone mentions a patch for a Linux vulernability, it seems a dozen MS fanboys jump all over it with the litany "Linux isn't any safer than Windows." Which is, of course, just so much BS. It seems I was also mistaken about the number of vulnerabilities MS patched on Tuesday. There were 20 covered by the 8 patches.
What we want and the reality of such doesn't always match up. I always want vulnerabilities fixed. I understand fully, its you and others who seem to not understand...Nothing is vulnerable until someone discovers the vulnerability and actually makes use of it . Do you know how long the Open Source community has known of this vulnerability ? Do you know of any cases where this vulnerability has been exploited ? I agree but the Firefox example is easily fixed, when the new update is released you download it from Mozilla and install it.
So somebody discovered the vulnerability, but since a widespread use of it has not come its not a problem? I'm not following you at all. A problem in software is a problem in software. It will come to haunt you eventually. Security should be proactive, not reactive. No I didn't. But I did follow the link Arup provided, googled the CVE number, and found it had been submitted March 31, 2009. Thats over two weeks. That's two weeks someone could have gone to a multiuser workstation, walked up, run an executable, and manipulated the workstation. It doesn't need to be a widescale Conflicker, if it happens just once due to some ticked off programmer who is about to get laid off due to the economy on a huge corporation network, thats not good. Sure your single-user desktop with only you running locally is fine, but far more important workstations and servers are out there that root access is a death send to the administrator. Again, it requires local access, not remote, so it being exploited is not going to be a huge publicity stunt. I'm sure it has by someone. Great, so now I have to deal with packages not managed by the package manager of my OS. I have to be in charge of yet another thing for administration. Automated updates are a reason why I migrated to alternative OSs, and another reason I don't use Slackware. Then if something like an important lib or python/perl is updated then the whole system could get FUBARed if I just update it, then I have a deal with all the other packages on my system. No fun. Cheers, Alphalutra1
I see so in other words we shouldn't care about the commitment from a distro that consistently tries to patch critical bug the fastest, in same breath I should say the AV company who releases vdf earliest is not relevant here either.
Correct, to this very day its not a problem and since the disto's are now patching I highly doubt that this vulnerability will ever be a problem. Why did you use "widespread", I said "actually makes use of it" "use" has a far less standard than widespread..... C'mon, the "ticked off programmer" doesn't need any vulnerability to trash the system I'm not saying what someone should or shouldn't care about, I'm saying exactly how I feel about the subject. As for the AV example, hmm, I could show you over the years that "releases vdf earliest" wasn't "relevant" in what AV you used
Clearly debating to you will not accomplish anything since you are steadfast in what you think is correct. Picking apart comments and only using very small bits and ignoring the bulk of a comment will not accomplish anything in an intellectual discussion. I'll just say a few parting remarks. Security is proactive. OpenBSD has a great model for security, read it here. It is not reactive. If there is a problem, fixing it as quickly as possible is paramount. Ignoring it and not prioritizing it because you do not know whether or not an exploit in the wild is dumb. An exploit is an exploit. Its a bug in the software that needs to be fixed. If you are a programmer and find a potential bug, even if it is not likely to ever be encountered by a user, you fix it. Take the famous airplane entertainment system example. The distribution is in charge of ensuring that the software it distributes is fully patched and up to date. This is one of its foremost goals. Doing else wise and ignoring something because its inconvenient and hasn't had any problems yet is bad. Especially for something such as udev. You do know what that is right? It's not some user application running on some computers. It's essentially universal across the board on linux computers. If I were looking to exploit linux systems, either to add to a botnet, steal information, or any other malicious deed, I'd look for a universal infection vector. I think I just found one. Distributions that have smaller windows of vulnerability are doing a better job on the security front. Period. You can't argue with that. Cheers, Alphalutra1
I fully agree. The faster the gates are closed, the safer you are. Thats the purpose of a fort and in this case stands so true for OS. As I said before, thats the beauty of Linux, some distros strive to have the latest kernel and are very good for hardware compatibility, other distros prefer speed so they compile and use a fully optimized kernel, in case of Ubuntu its none of that, its downright slow compared to speed devils of Linux world, its also comparatively bloated with regards to other distros, however when it comes to patching, compatibility, working out of box or solutions combined with stability, Ubuntu takes the lead there, its all one's priorities in the end I guess. Thats the choice of Linux. I for one install only Ubuntu to people who are switching over from Windows, some of them are senior citizens as well. For them, telling them to learn things over would drive them back to Windows in a jiffy. I install nautilus-gksu to make things even easier to copy and paste files needing admin rights, this makes their transition easier instead of telling them to go via commands. For others like Java etc. I use a script. All this is a bit easier in Ubuntu but I am sure it can be done with other OS as well. Some OS in their quest for release come with bugs like ntfs drives not recognized, in Ubuntu thankfully thats not the case.
Here's your exploit fastgame only a couple of days later: http://www.milw0rm.com/exploits/8478 It'll probably join the in-the-wild vmsplice() exploit and be one of the top two most used exploits for gaining root access. But we needn't be worried should we? Cheers, Alphalutra1
Hi, Also good for painting passions on your desktop... And just for fun, an Ubuntu distro that i have seen on a computer gothic friend: Ubuntu Satanic Edition: http://ubuntusatanic.org/news/about/ Please, please, come back to Earth after using it... Rgds
Since I am a big fan of dark themes, it has one of the best functional dark themes around, the only thing I can't stand is the metal music, the distro comes loaded with it, after a while it gets jarring to ears but I do use the theme.
FastGame, Any reason you are using Ubuntu 8.04LTS? I install it on desktops and laptops using Intel graphics as the later versions of Ubuntu simply don't work too well with that chip. From compiz to Google Earth works fine in 8.04 and it also doesn't suffer from the screen going blank after logging out and re-logging in.
Hi Arup I was going happy with PCLinuxOS until they started having problems...they froze the repos about the same time 8.04 came out. I gave Ubuntu another try and everything worked perfect. So far it does everything I need and does it well, guess I need time to get out of the rolling release mode and Ubuntu LTS is some what rolling release like. Using it on an older Intell dual core 3.2 ghz, 3 gig ram, ATI 4850 (did have a bit of trouble with the ATI card)
8.04 is quite stable and has less CPU spikes compared to other releases of Ubuntu, one of the reasons it gets its LTS title. Its not the fastest or latest but its stable. I Have ATI 4850 dual GPU but I didn't' run into any issues with Intrepid. Actually some of the older softwares like Multi Get which is the closest thing to Windows FDM or Orbit runs only on Hardy and even compiles on it, there are other apps as well which are hardy alone, all this makes Hardy a good option. In fact for all the others needing Linux installations, I install Hardy LTS instead of the latest. Usually I don't face any hardware issues.
