Via diggdot.us, Ubuntu Breezy has a confirmed and critical bug that allows the first user registered password to be found by any user by reading the file /var/log/installer/cdebconf/questions.dat, which is world-readable. The problem does not affect the Dapper version.
This means admin’s running Breezy will have some headaches the next couple of weeks. If you can upload a php/perl/etc file to the server you can read the password out of var/logs with fopen() and that means you’re done in many scenarios. Word of advise: don’t do something stupid. If you like security or even if you don’t, a note on your police file won’t help your curriculum.
I’ve been using Ubuntu on my laptop for some time now and must say it never let me down. The guys did a great job. It’s a good install-and-go/Just Works distro and that’s what I need right now. Flawless package management, on-the-fly Gnome desktop, OpenOffice, Flash, Evolution 2.5.x, etc.. I don’t see this bug affecting the popularity of Ubuntu but then again we all now that critical servers are not their market.
References: * https://launchpad.net/distros/ubuntu/+bug/34606
* Follow thread on ubuntuforums.org
Note to self: Subtract 4 days and you get the day Google acquired Writely. As Russell Beattie pointed out, we’ve got ourselves another winner in the Web 2.0 Acquisition Lottery..
Recent Comments