[plug] Is Red hat truly flawed?

Bret Busby bret at clearsol.iinet.net.au
Tue May 2 12:20:01 WST 2000 

I have just found the folowing news item, at
http://www.australianit.com.au/common/storyPage/0,3811,633573%255E442,00.html

Does anyone know whther this is genuine, or, just a hoax?

I understood that a single version of each release of the Linux kernel,
existed, and that it had to be approved by Linus Torvalds, before it
could be officially released. Am I wrong in my understanding?

-- 

Bret Busby

......................................


           Warnings over Red Hat 'flaw'
               DOMINIQUE JACKSON


           AN Australian Internet consultant says he has found serious
           flaws in Red Hat Linux, just days after reports of another
           security hole were released.

           Sydney-based Adam Todd said a major security breach in
           the Red Hat kernel allowed a hacker to bypass the login
           process, bypass passwords, and copy the original password
           file.

           "This allows me to gain the highest level of user privileges
           within the kernel itself," he said.

           But Mr Todd said the flaw was beyond the normal hacker.

           He said it was probably created by someone who had
           worked with Red Hat.

           "Whoever started it knew exactly what was needed," he
           said.

           Mr Todd challenged to members of the "Link" mailing list to
           put their Red Hat servers up for hacking, and has
           succeeded in hacking nine of 17 systems owned by
           government agencies, ISPs, businesses and individuals.

           He said that when he had broken through all the servers,
           an email would be sent to their owners telling them that
           their systems had been violated. A message also would be
           sent to the Link list and the AusISP list with details of the
           servers hacked and the security flaw.

           Mr Todd said he hoped to finish the task in the next
           fortnight.

           He said he first found the flaw in 1997 when a server running
           Red Hat in the data centre hosted by his company AH Net
           was hacked. He said that Red Hat ignored his warning.

           Mr Todd said when security issues resurfaced on the Link
           mailing list, he issued the challenge.

           Red Hat technical alliance director Robert Hart responded,
           asking for proof.

           He wrote that Red Hat used the standard Linux kernel,
           which meant the security hole should appear in other
           distributions of Linux.

           Mr Todd, a Slackware Linux user, responded that there was
           no definition of a standard Linux kernel and that he had
           not seen the problem occur on other versions of Linux.

           Grant Bayley, organiser of hackers group 2600 Australia, has
           also called for proof.

           "I don't think such a bug exists, because with Linux in
           particular, there's enough eyes looking at the software to
           notice it," he said.

           "I'm sceptical because no information is being released
           about it."

           Red Hat Asia-Pacific director of professional services Miles
           Gillham said that if the hole was genuine, the company
           would issue a patch or update on its website within 24
           hours.

           Last week, Internet Security Systems's X-Force team found a
           backdoor in Red Hat Linux.

                            sunsite.anu.edu.au/link
.....................................

More information about the plug mailing list