The 4th Linux kernel flaw this month can lead to stolen SSH host keys
https://www.zdnet.com/article/qualys-flags-a-linux-kernel-security-issue-that-could-lead-to-stolen-ssh-keys/Open linkView original on lemmy.ca197
Comments54https://www.zdnet.com/article/qualys-flags-a-linux-kernel-security-issue-that-could-lead-to-stolen-ssh-keys/Open linkView original on lemmy.ca
It's listed as medium severity and appears to require the hacker to already have terminal access to the system. It's also already patched and there's a quick and easy workaround if your distro doesn't have the fix yet.
I think that the OP(the article author) is not looking at this the right way. Like yea it sucks another exploit is found, but it's not like if it wasn't found it doesn't exist.
I think its much better to have them published and fixed then to live in blissful ignorance when someone could be exploiting it in the wild.
Oh FFS, the rest of my life is doomed to be spent updating software
🌏🧑🚀🔫🧑🚀
Always has been!
But careful not to update too fast and fall on the supply chain attack of the week.
Pretty sure that was in the bible.
Proverbs 25:16 - If you find honey, eat just enough - too much of it, and you will vomit.
Could update that to be: If you find updates, apply them - too soon though, and you will vomit your credentials.
That's difficult. Openssh is coded in C, not js.
It is more important than ever to introduce geo-ip conditional access on your network(s). That way you limit your attack surface by a significant margin.
My personal stuff 100%
For work? No such choice (apart from the obvious ones)
Your work most likely already has conditional access through MS Entra
Not a Microsoft shop, but yes they have a pretty extensive IDS for anything public facing, another company to handle internal Auth
That's what we call job security, I suppose.
Oh good. Nothing too serious, then.
All found with AI, you haters. And Linus complains the mailing list is too busy… with bugs.
with duplicate bug reports.
Mailing lists, it turns out, is a bad tool.
It's worked for over 30 years, until the slop generators turned on.
Dunno duder
Times change. I’d say if slop finds exploitable bugs, it’s not slop. And if your 30 year old method of doing something doesn’t work anymore, take a few minutes to make a better solution. 🤷♂️
Yes but the problem is that people keep submitting the same bug again and again and again. Some bugs exist because they haven't been spotted, but there's a heckton of bugs that are known about, but no-one has been able to put forward a fix for them yet. Overloading people with duplicate reports just means that they have less time and brainspace available to spend on fixing bugs.
Duplicates don't add anything to the conversation
But it's not the same person reporting the same bug multiple time but rather a new tool enabling multiple people to discover that same bug at the same time.
Not reporting it because "someone else probably will" is a sociopsychological phenomenon called diffusion of responsibility.
It's not about "someone else probably will", it's about "someone else already has". No one is advocating for diffusion of responsibility.
Yes but the problem is that people keep submitting the same bug again and again and again. Some bugs exist because they haven't been spotted, but there's a heckton of bugs that are known about, but no-one has been able to put forward a fix for them yet. Overloading people with duplicate reports just means that they have less time and brainspace available to spend on fixing bugs.
Duplicates don't add anything to the conversation
Yes but the problem is that people keep submitting the same bug again and again and again. Some bugs exist because they haven't been spotted, but there's a heckton of bugs that are known about, but no-one has been able to put forward a fix for them yet. Overloading people with duplicate reports just means that they have less time and brainspace available to spend on fixing bugs.
Duplicates don't add anything to the conversation
Yes but the problem is that people keep submitting the same bug again and again and again. Some bugs exist because they haven't been spotted, but there's a heckton of bugs that are known about, but no-one has been able to put forward a fix for them yet. Overloading people with duplicate reports just means that they have less time and brainspace available to spend on fixing bugs.
Duplicates don't add anything to the conversation
Yes but the problem is that people keep submitting the same bug again and again and again. Some bugs exist because they haven’t been spotted, but there’s a heckton of bugs that are known about, but no-one has been able to put forward a fix for them yet. Overloading people with duplicate reports just means that they have less time and brainspace available to spend on fixing bugs.
Duplicates don’t add anything to the conversation
Yes but the problem is that people keep submitting the same bug again and again and again. Some bugs exist because they haven't been spotted, but there's a heckton of bugs that are known about, but no-one has been able to put forward a fix for them yet. Overloading people with duplicate reports just means that they have less time and brainspace available to spend on fixing bugs.
Duplicates don't add anything to the conversation
All found with some AI assistance and a lot of human expertise sifting through the hallucinations to work out the actually exploutable stuff. And the AI bug apocalypse has turned up a whole 4 bugs serious bugs so far, ooo scary. I'm still waiting to be impressed.
And that (obviously) is the low hanging fruit. We end up with a more secure kernel, and these filter in at a manageable rate and the bar raises. Pretty damn good scenario IMO.
Closed source is going to have a much worse time.
It's funny how almost all the AI services out there seem to have forgotten to publish any precision/recall stats.
No no, real numbers would hurt the bottom line. AI relies on great expectations and overly trusting techbros.
No one thinks impressing you is a goal.
Easy there Pickle Rick you might cut yourself on that edge lol
It got your attention ;)
Yes, the goal is to impress easily distracted rubes.
Which it has clearly done.
Why are you like this?
Lemmy has driven me to be an angry person who likes to point out how hypocritical people are.
You should try not sucking at it though.
Sucking is relative. I would have to respect you for that to be an insult.
You're getting ratio'd pretty hard (by lemmy standards)
You don't have anyone here's respect, so why would they care for yours?
I don’t have any concern for votes because I do not display them. Just because you, and several other alt accounts can push a down button doesn’t mean that will ever affect me – because I can’t see it. However, according to you – every single down voted comment is a bad comment regardless of its content. So according to you, if I get downloaded for complaining about, let’s say murdering innocent children, then I must be a bad person. Your logic doesn’t work out buddy.
I didn't read your message.
Edit: Because you seem a little thick: Because I don't respect you.
Please go step outside and touch grass
Sounds like a skill issue on your part. Cope harder.
two week old account seemingly dedicated to peddle AI… blocked
All found with my infinite set of monkeys on typewriters.
This isn't an example of a broken clock being right twice a day. Torvalds is complaining that his inbox is flooded with bug reports because everyone's monkey suddenly started outputting Shakespeare.