Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Permalink for comment 430214
To read all comments associated with this story, please click here.
RE[4]: Zealot
by lemur2 on Tue 15th Jun 2010 23:17 UTC in reply to "RE[3]: Zealot"
lemur2
Member since:
2007-02-17

"...and it's worst than installing manually software YOU chose to install because you TRUST the repository of the linux distribution.
I fail to see how it's worse than installing software manually. Debian users got an OpenSSL security update as soon as the vulnerability was patched, because it was in the repository. In fact, not only did it fix the vulnerability, but there were several layers of safety in the patch to identify weak keys and warn the user if they are present, as well as stopping any of the same keys from coincidentally being generated in the future (because any attacker would look for the known weak keys first). The Debian vulnerability was caused by human error, not by malicious intent as we've seen in the UnrealIRC problem. One flaw doesn't prove that the system is broken. Multiple flaws do. Internet Explorer 6 isn't broken because of a cross-site-scripting flaw discovered in 2006, it's broken because people keep finding cross-site-scripting flaws in it. The same applies with the repositories. "

Once again, with emphasis, this UnrealIRCd problem has absolutely nothing to do with the repository system.

UnrealIRCd didn't use the repository system, and THAT was the problem.

Reply Parent Score: 2