Fedora Core 2 Test 2 - delayed
Vincent
pros-n-cons at bak.rr.com
Sat Feb 28 00:39:55 UTC 2004
On Fri, 27 Feb 2004 10:02:09 -0500 (EST)
"Mike A. Harris" <mharris at redhat.com> wrote:
> On Fri, 27 Feb 2004, Leonard den Ottolander wrote:
>
> >How well scrutinized is this NSA code actually? Everybody can see they
> >won't slip in an obvious backdoor, but how about nasty little overflows,
> >tucked away deep inside the code, for which they already have exploits
> >in their drawer?
>
> Aside from rejecting SElinux merely due to conspiracy theories
> alone, what would be your suggestion to ensure that this is not
> the case?
>
> If you really think about it, you can apply the same conspiracy
> theory to the Linux kernel, XFree86, and every other piece of
> software in the system.
>
> There are quite a few security vulnerabilities found and fixed in
> OSS source code. How can you truely be sure that a given
> vulnerability wasn't planted there intentionally?
>
> Take the recent XFree86 security update which contains fixes for
> libXfont. Do we really know for sure that when Keith Packard
> wrote that 14 or so years ago, that he didn't intentionally put
> the buffer overflows in there, so that he could 0wn all machines
> running the X Window System 15 years later? ;o)
>
> You did upgrade X to the latest version right? ;o)
>
>
>
> --
> Mike A. Harris ftp://people.redhat.com/mharris
> OS Systems Engineer - XFree86 maintainer - Red Hat
>
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list
I thought Fedora wasn't vulnerable to that bug due to exec-shield. Packard never
saw that one comming!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20040227/a913e98d/attachment-0002.bin
More information about the devel
mailing list