Unauthenticated RCE vs. all GNU/Linux systems (+ others) disclosed 3 weeks ago
twitter.com> Not yet, according to the devs the plan is to disclose to openwall on september 30 and afterwards the full disclosure will happen on october 6
So I understand this means we will need to wait till October 6 for more details. Would it be safe to assume anything being talked about right now is speculation?
It's probably something that's unexploitable in practice or rarely enabled by default or both if the developers aren't too bothered about fixing it. Sounds like yet another vulnerability that's more hype than anything serious.
Agreed - the only RCE vulnerabilities that would IMHO qualify to "All GNU/Linux systems" would be in Linux kernel networking stack and maybe in openssh.
But the "(+ others)" seems to imply it's not Linux kernel.
And OpenSSH is maintained by OpenBSD folks, who take security extremely seriously. I cannot imagine them taking 3+ weeks and not having security fix, nor arguing whether "Unauthenticated RCE" has a security impact.
So I am guessing it's one of the other common packages, probably not installed on every computer and/or not normally exposed to the internet.
Other discussion: https://news.ycombinator.com/item?id=41636796
* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.
* Full disclosure happening in less than 2 weeks (as agreed with devs).
* Still no working fix.