←back to thread

Multiple security issues in GNU Screen

(www.openwall.com)
414 points st_goliath | 6 comments | 13 May 25 11:28 UTC | HN request time: 0.753s | source | bottom
Show context
teddyh ◴[13 May 25 12:09 UTC] No.43972000[source]
Note: In Debian, GNU screen is not installed with setuid-root privileges.
replies(4): >>43972155 #>>43972240 #>>43972667 #>>43972691 #
perlgeek ◴[13 May 25 13:24 UTC] No.43972691[source]
And the package in Debian Stable (aka bookworm) is too old to be affected by the vulnerabilities in 5.0.0.

I used to hate that Debian always was behind on software versions, but now I use different package sources for the few applications where I really don't want to rely on old software (like browsers), and otherwise doing great with the old stuff :-)

replies(2): >>43972806 #>>43980202 #
1. bandrami ◴[14 May 25 02:45 UTC] No.43980202[source]
Debian stable users missed heartbleed entirely. I think the glacial pace is underrated.
replies(2): >>43980272 #>>43982665 #
2. krferriter ◴[14 May 25 02:57 UTC] No.43980272[source]
Glacial page bedrock of an OS with optional sandboxed more-up-to-date userspace packages and runtimes that can be layered on top of the host system was the dream of flatpak/snap/appimage, right?
replies(1): >>43980724 #
3. bandrami ◴[14 May 25 04:11 UTC] No.43980724[source]
Yes, though that comes with its own headaches since the data those sandboxed applications are supposed to touch are the only actually valuable data on my computer. (How many versions of OpenSSL are currently running on my Silverblue system? I literally couldn't tell you.) My spreadsheet is only vouched for by some random dude on Flathub and it can steal all my financial information. But at least it can't add a printer, or delete a system file that I can freely download from the Internet at any time.
replies(1): >>43996520 #
4. rs_rs_rs_rs_rs ◴[14 May 25 09:49 UTC] No.43982665[source]
> Debian stable users missed heartbleed entirely

Missed it? Not at all, Debian pioneered that style of bugs years before!

https://github.com/g0tmi1k/debian-ssh

replies(1): >>43983784 #
5. bandrami ◴[14 May 25 12:38 UTC] No.43983784[source]
And the default SELinux config was broken for like 15 years IIRC. It's always pick your poison.
6. rlpb ◴[15 May 25 16:16 UTC] No.43996520{3}[source]
This a decent observation, but I would add that some other Flatpak app that you run might be correctly sandboxed from accessing your financial information, and this is the real benefit of such a system.