[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited
Dhaval Giani
dhaval.giani at gmail.com
Thu Jun 6 02:06:19 EDT 2024
>
>
>
> Summary:
>
> - the bug isn't important unless you run random stranger's code on your
> computer. If you do, the bug would let them escalate their priviledge.
>
>
So - beware of this statement. Everytime you access the internet, you run a
random stranger's code on your computer. Yes javascript is generally
sandboxed, _but_ a lot of active exploitation is chaining a number of small
bugs together to achieve the needed effect. There are some great
examples on the Google security blog.
Now - having been a distro representative in the past on distros@ - the
distros are pretty good at patching these issues, especially when there are
serious security issues that led to an embargo. So as long as you regularly
do a "dnf update" or whatever the apt equivalent or your distro's
equivalent is - you should be fine. Don't forget to reboot to allow the new
kernel to actually be running.
> - I imagine the only vulnerable systems at the time of the Ars Technica
> article were those that were not being regularly updated. It came out
> over three months after fixes were released.
>
> - you can look up what your distro says about CVE-2024-1086
>
I would highly discourage this piecemeal update of CVEs. For most users,
you do not care what CVE was fixed, but that a CVE was fixed. Keep updating
your distro on a regular basis (I tend to do it daily, since Fedora has a
lot of churn) and as per theory you should be fine. I cannot think of a
workload on a laptop/personal computer which cannot handle a reboot.
Dhaval
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20240605/ac71ec3c/attachment.html>
More information about the talk
mailing list