Major Ubuntu Security Warning

riven · 13 Mar 2006 at 09:32

From slashdot:

"An extremely critical bug and security threat was discovered in Ubuntu Breezy
Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

Solution
http://www.ubuntu.com/usn/usn-262-1

Hades · 13 Mar 2006 at 17:48

NIce one. Thanks for the heads-up.

dirtydog · 14 Mar 2006 at 07:23

That's a pretty nasty bug :eek:

It makes you wonder what other gaping holes in security they've left.

zetec452 · 14 Mar 2006 at 18:10

Just imagine if something like this happened to Microsoft.

riven · 14 Mar 2006 at 19:49

JonRohan said:
Just imagine if something like this happened to Microsoft.

You mean like on windows where everyone has a root account by default :rolleyes:

zetec452 · 14 Mar 2006 at 19:55

riven said:
You mean like on windows where everyone has a root account by default

Im was coming more from the angle of a critical issue not the way accounts are created etc.

Im not slating linux or anything as it is an amazing OS. Just merely stating a moot point which is rather off topic. :S

riven · 14 Mar 2006 at 21:29

Yeah, it is a bit myth that linux doesn't have lots of vulnerabilities discovered, buts look at all the GLSA entries in a week. But the difference is most of them are fixed very quickly. Although there are still many things overlooked. Eg. gentoo contains no sane ulimits. This means a forkbomb (that can be written in one line of code) can bring a gentoo system down if the user hasn't set any ulimits. Of course then gentoo creators arn't willing to include ulimits by default, as most gentoo users wouldn't like this, as gentoo is about choice and setting your own config.

dirtydog · 15 Mar 2006 at 09:34

riven said:
You mean like on windows where everyone has a root account by default

Even Windows doesn't leave the password in a plain text file on the hard drive. You must admit that if Microsoft had done that, the Linux nerds on slashdot and so on would be wetting themselves with glee

Borris · 15 Mar 2006 at 11:37

dirtydog said:
Even Windows doesn't leave the password in a plain text file on the hard drive. You must admit that if Microsoft had done that, the Linux nerds on slashdot and so on would be wetting themselves with glee

My guess is that plenty of 'Doze users save the admin password in plain text by default though, in password.txt

mortals · 15 Mar 2006 at 16:39

loads of windows users have a admin user setup for autologin with no password at all :confused:

because it's the default way that the install sets up the accounts.

too many things left open in windows, discover vulnerability and leave it for a few months or more.

but lets not go on about how much better linux is to windows, especially on a default install

Caged · 15 Mar 2006 at 16:56

mortals said:
loads of windows users have a admin user setup for autologin with no password at all because it's the default way that the install sets up the accounts.

Because that's the way the majority of home users want it set up.

zetec452 · 15 Mar 2006 at 21:45

dirtydog said:
Even Windows doesn't leave the password in a plain text file on the hard drive. You must admit that if Microsoft had done that, the Linux nerds on slashdot and so on would be wetting themselves with glee

Thanks kind of what I was getting at.