What is Digg?75 Comments
- ezkiel, on 10/12/2007, -2/+72It's going to be said anyways, but they sure beat the pants off Microsoft (and even Apple) in responsiveness.
- michnaugh1, on 10/12/2007, -2/+27Agreed, ezkiel. Everyone says it, but Ubuntu really does have a fantastic community. Definitely the best non-Linux-user friendly experience I've had with a distro.
- peregrine, on 10/12/2007, -3/+27Wow. I think this says something about the OSS community that you cannot say for M$ or Apple.
OSS++
Digg++ - prockcore, on 10/12/2007, -1/+17That's true... the local privilege escalation found in OSX last week hasn't even been acknowledged by Apple yet, let alone fixed.
This was a big hole though.. I wouldn't expect anything less than an immediate response. - coredump0x01, on 10/12/2007, -1/+16The sheer beauty of open source, demonstrated once again. Even though it's just a series of grep and chmod commands, it will help newcomers to secure their boxes. Kudos to Ubuntu for releasing a fix so quickly (just 12 hours), a hole that big needed a swift response.
- technstuff, on 10/12/2007, -1/+9Well, I guess under that philosophy, Microsoft shouldn't have released, well, anything yet?
- technstuff, on 10/12/2007, -1/+8It would be nice if billion dollar companies with thousands of programmers could respond like this, but I doubt it will ever happen. Thumbs up to the Ubuntu community.
- coredump0x01, on 10/12/2007, -1/+6If you use breezy, you can use adept to grab the updates, but it's quicker and more universal to use apt-get. In a terminal, type 'sudo apt-get update && sudo apt-get install base-config passwd' which should do it. there's no auto-update that I know of (Dapper?).
- nu11, on 10/12/2007, -2/+7Ubuntu++
- mbiesz, on 10/12/2007, -1/+6According to one of the Ubuntu devs, the command for logging this part of the installation was set to log only the question and not the response. Thus, it was a bug in the logger and not the programmer's oversight.
- inactive, on 10/12/2007, -1/+6Funny, I just read about the advantage of having an Open-Source OS, where if a bug is discovered, a fix will come in a few hours/a short time.
- cjwatson, on 10/12/2007, -2/+6The fix (a) removes the offending password fields from any files under /var/log/installer/cdebconf/, and (b) does 'chmod 600' on all those files just to make sure.
- solidcube, on 10/12/2007, -0/+4OOoooh! HUGE barnburning root hole (that shouldn't have been in there in the first place) fixed in just a few hours!
The Ubuntu team can just do no wrong! - Linkage155, on 10/12/2007, -1/+5According to article, remove saved password and limit viewing of installation files to root.
- coredump0x01, on 10/12/2007, -1/+5you try managing and implementing an entire codebase and see if you get absolutely everything perfect the first time. The important thing is this bug has been fixed way before it could be impactful.
- dotwaffle, on 10/12/2007, -1/+5[sigh]
It wasn't an unencrypted password being used - the debian installer asks questions like "what password should the new user have" and this was erroneously logged, instead of just the question being asked being logged (data should not have been stored).
The good thing is that the fault has been found, and quickly fixed, changes should be propogating soonish.
And yes, the Ubuntu installer is the Debian installer, with less questions asked. Rargh, - drizek, on 10/12/2007, -1/+4They fixed it before MS or apple would have even acknowledged the bug existed.
- Linkage155, on 10/12/2007, -1/+4They are new, recently started, this speed surely tells about their dedication
- borkov, on 10/12/2007, -2/+5And thanks to digg and it's community for helping bring this problem to the surface...
- inactive, on 10/12/2007, -4/+7it was fixed in hours because it was a ***** stupid (and very basic to fix) mistake that should never have happened in the first place. i'm not congradulating them anymore then i would if MS fixed a bug.
- troydoogle7, on 10/12/2007, -1/+4or (KUBUNTU) click adept package manager
1. Press full upgrade
2. Press Commit Changes
3. Profit! - inactive, on 10/12/2007, -1/+4it wasn't really a bug that bothered me, since I'm the only person who uses my laptop, but it's nice to see the power of OSS
- inactive, on 10/12/2007, -1/+4It took Microsoft Years for SQL server to post a patch when their pw's were left in clear text on install, and even more years before they specifically started to disallow blank passwords.
- nofxjunkee, on 10/12/2007, -1/+4joshduck: did you actually just say that this bug in Ubuntu means that _every_ open-source project lacks a (supposed) certain level of QA? please tell me you're joking...
- Halodude1489, on 10/12/2007, -1/+4Wow that was REALLY fast.
- w0mbat, on 10/12/2007, -0/+2On a practical note folks...
Even if you've just got the patch, it would be sensible to change the password you entered at install - if you haven't already. - nbx909, on 10/12/2007, -1/+3michael@mikeubuntu:~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages will be upgraded:
base-config login passwd
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 979kB of archives.
After unpacking 0B of additional disk space will be used.
Do you want to continue [Y/n]? - thereisnogod, on 10/12/2007, -1/+3When they say fix, what does the fix do? Delete the file? chmod it? what?
- latour, on 10/12/2007, -1/+3that's great if only microsoft could do that!
- clharlem149, on 10/12/2007, -1/+3saved (and upped) their assumed integrity level
- capajc, on 10/12/2007, -1/+3Is there an autoupdate for it to automatically get fixes like this when needed?
- clever, on 10/12/2007, -0/+2You need to either be able to login to the machine already, or have physical access so you can boot into a live CD and read the file. So in practice, this would mostly be an issue for multi-user systems where your local users could attack you. Think a family PC, or maybe your roommate's machine in a dorm that you could boot into knoppix. It's an ugly problem.
What I see as a big reason that it's not "just a privilege escalation problem" is because you can actually see the password. If that password had also been used on other systems or for logins to other websites, for example, then all those systems are also comprimised. This is more reinforcement for the "good practice" of using a different password for every login.
Kudos for them fixing it so fast, but it's still a nightmare problem for sites where the admin may not have logged in yet to update the system, but regular users are still able to access the system. - burke, on 10/12/2007, -1/+3heh. Probably before they even *knew* about it.
- ZeroDni, on 10/12/2007, -1/+3I just wanted to make one thing clear this is not a storage for passwords. This file is just a log and if you change your password from the one when you installed it with than this file will not help you find that password your question about MD5 is not necessary because its a log file the fix was just not to log the passwords at all during the install. The ubuntu Dev's did the right thing you don't need to encrypt something that shouldn't be there in the first place.
- l0ne, on 10/12/2007, -0/+2We all know that Apple never acknowledges _anything_ before the fix is out.
- kapkorn, on 10/12/2007, -1/+3The fact they wont hide their errors and fixing it that fast is great. You cant ask for much more.
- technstuff, on 10/12/2007, -1/+2Sorry, assumed everyone would know who I was talking about without being specific, I'll give Novell credit for their quick responses. Also, you could have replied directly to my comment, new Digg comment system :)
- mikeazorin, on 10/12/2007, -0/+1I saw this on digg last night before I went to bed, and I got the updates when I woke up.
- amed, on 10/12/2007, -1/+2oh man, news does travel really really fast
- ZeroDni, on 10/12/2007, -1/+2i just wanted to let you know that there is a auto updater in all Debian based systems just use apt-get update then apt-get upgrade i do this Debian for any production server but for home i just made a script like this
#!/bin/sh
apt-get update
apt-get upgrade -y
and then put that shell scripts in /etc/cron.daily
and i never have to think about it and if you just wanted it for security updates you could just set the target repository to just the security repository for the upgrade script - ali3n, on 10/12/2007, -0/+1Nice work! seems some folks found something creative to do with ubuntu in thier free time.
some guy posted this on irc lol
(Ubutnoob) IRC h4xbot|dfmejbu: 60 -rw-r--r-- 1 root 60259 Dec 20 00:40 /var/log/installer/cdebconf/questions.dat
(Ubutnoob) IRC h4xbot|peowbar: 64 -rw-r--r-- 1 root 59638 Apr 22 2005 /var/log/installer/cdebconf/questions.dat
(Ubutnoob) IRC h4xbot|xtoscxj: 68 -rw-r--r-- 1 root 61992 Feb 5 18:17 /var/log/installer/cdebconf/questions.dat
(drumroll) and the award goes to... ubuntu for largest insecure password botnet fiesta of 2006! - Dolphinese, on 10/12/2007, -2/+3What I don't understand is why unencrypted passwords are being used in the first place. Especially when one-way hashing algorithms like MD5 are a dime a dozen in just about every language under the sun (APL, Logo and C64 BASIC notwithstanding).
- cokebottletuque, on 10/12/2007, -1/+2the problem as i understand it is that the password gets logged during installation and that the bug was in the logging program configuration. to me this implies the relatively simple solution of changing the root password(which you should be doing every 6 months anyways, more often if you are running a server.)
- QettoE, on 10/12/2007, -0/+1Microshaft should learn from the speed with which Linux security holes are being fixed. There are still security holes in the IE which are still there for over three years.
- emptymind, on 10/12/2007, -0/+1gotta love it. And no reboot :)
- inactive, on 10/12/2007, -1/+2please give me negative comments because i was anti-ubuntu..
my gentoo box still owns your "linux-distro-for-noobs" - matgorb, on 10/12/2007, -0/+1Well, It's nice they somehow fix it, (but what happen for instance if I reinstall later from the CD and don't update, let's say I'm a poor african user without Internet or on Dial-up?...)
I sure hope now that the Dapper release will be pushed 6 weeks forward, so they can do some testing (at least a grep password /...)
Well anyway, I'm using Ubuntu, and I like it, but please let's not have two way of dealing with things, it would be MS or Apple, people would be litteraly screaming in the street (and I doubt Apple or MS would take long to make a fix that basically remove a file) This is not some security hole, THIS IS YOUR ***** ADMIN PASSWORD IN CLEAR TO ANYBODY WITH ACCESS TO THE MACHINE, let's think school, library etc, no need to be a hacking wizard, so let's not compare it to anything, it is UNACCEPTABLE, and I hope it will not hurt Ubuntu adoption (_IT Manager: "...Ubuntu, that distrib that store the password in clear text, no thanks...") - gookie, on 10/12/2007, -0/+1Kewl, nice work Ubuntu devs.
Just a question tho:
So the bug is fixed on "installed" systems. But what about the INSTALLER who in the first place presented the problem, is it fixed? If I download an ISO installer now the log will not be created anymore or will it be created THEN cleared by the updater? What about the pressed CDs from ShipIt? What about my stacks of Breezy CDs that I want to give to friends? They're generally flawed. The updater is nice. But it's much safer if the problem itself can be prevented before it can even come up.
.02 cents. - AlanLivingston, on 10/12/2007, -0/+1When you say, "not stored anywhere", I assume you mean stored in RAM. But the maintainer seems to indicate otherwise. Why else would they need to "...take a lot of care to clean them out of the database afterwards..."?
- tsupersonic, on 10/12/2007, -0/+1Wow, that was quick.
-
Show 51 - 74 of 74 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is