From bleeping computer:
https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released
4 Likes
Thanks for sharing this. That is a pretty serious bug.
4 Likes
I thought the impacted kernel versions were v5.12 and above. I’ll research this some more.
This bug report from Redhat contains additional information, including a like to a kernel patch.
2 Likes
From the first link @Eltuxo posted and that is what I understood:
Today, security researcher Max Kellermann responsibly disclosed the ‘Dirty Pipe’ vulnerability and stated that it affects Linux Kernel 5.8 and later versions, even on Android devices.
I am not sure about the responsibility part but I have the newest security patches in my kernel.
2 Likes
Just went backwards from 5.13 to 5.4 LTS today.
What I have been taught in my security training/certifications is that the accepted method upon discovering a zero-day vulnerability is to notify the appropriate party (developer/vendor) and give them 30-days before making a public announcement.
However, some have opted for the fame of going public immediately. This should be shunned as unprofessional.
After 30 days, if the developer/vendor has not responded, refuses to acknowledge, or does not address the vulnerability, then it is considered acceptable by those in the security field to put public pressure on the issue.
1 Like