I suppose that, as is usual with Linux utilities needrestart can be updated without needing a restart.
'Alarming' security bugs lay low in Linux's needrestart utility for 10 years
Researchers at Qualys refuse to release exploit code for five bugs in the Linux world's needrestart utility that allow unprivileged local attackers to gain root access without any user interaction. The security shop's Threat Research Unit (TRU) said it was able to develop a working exploit but wouldn't release it, describing …
COMMENTS
-
This post has been deleted by its author
-
-
Thursday 21st November 2024 16:47 GMT Henry 8
Re: General Linux utility
The Qualys post everyone is linking to says "The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. " which seems to have been widely misinterpreted (in every report I've seen on this issue) as "this is a bug in Ubuntu Server"
-
Thursday 21st November 2024 17:59 GMT diodesign
Cos Qualys
Hey - it's because Qualys focused on Ubuntu Server as it has the tool by default, and it's a widely used flavor. Yes, needrestart is present in other distros but not necessarily installed. It's not on my El Reg office Debian Linux workstation.
Still, we've tweaked the piece to appeal more to everyone who has the thing installed, by default or by choice.
C.
-
Thursday 21st November 2024 19:48 GMT Doctor Syntax
Re: Cos Qualys
It seems to have been derived from another project checkrestartneeded. Both are in the repositories for Devuan and Debian but neither is installed on my
desklaptop either. It's easy to see why. They're to make sure any updated libraries are broad into action by ensuring everything that runs them gets restarted. Desktop and laptops get rebooted fairly often (unless they're left running for the janitor to come round at night and fix everyone's problems for them) so it's really a server need where there are long-ruiing daemons. But Debian is pretty good at restarting daemons anyway. I wonder if its something that's used for setting up the .deb files before distribution.
-
-
-
Thursday 21st November 2024 19:59 GMT Anonymous Coward
That's the achilles heal of Linux, no one is paid to fix obscure, boring bugs, it's not as sexy as working on the "latest thing".
Similar issue with proprietory software, the bugs are obscure and boring, but at least for most commercial companies except for MS, there's usually an incentive to keep the paying customers reasonably happy and relatively safe. Relatively, I wrote, not absolutely.
-
Thursday 21st November 2024 20:19 GMT Gene Cash
From the Debian package description
Features:
- supports (but does not require) systemd
- binary blacklisting (i.e. display managers)
- tries to detect required restarts of interpreter based daemons (supports Java, Perl, Python, Ruby)
- tries to detect required restarts of containers (docker, LXC)
- tries to detect pending kernel upgrades
- tries to detect pending microcode upgrades for Intel CPUs
- could be used as nagios check_command
- fully integrated into apt/dpkg using hooks
Sounds like it a complex tool that has a lot on its plate.
-
Friday 22nd November 2024 09:04 GMT the reluctant commentard
Ubuntu page with which versions have the fix
The article states that version 3.8 fixes the issue, however that is the version number of the source project on Github. Ubuntu backports fixes to various flavours of Ubuntu, and so the actual version number on an installation is different.
Here is an Ubuntu page listing which versions contain the fix for each flavour of Ubuntu: https://ubuntu.com/blog/needrestart-local-privilege-escalation
-
-
Friday 22nd November 2024 09:34 GMT sabroni
Re: Nothing valuable appears to be lost doing this.
How thoroughly did you check?
The valuable thing this does is reboot after you install an update that needs a reboot. Without it you think you have installed the update but if the device hasn't rebooted then you don't.
If you're installing updates to reduce vulnerabilities then switching this off could leave you unprotected until a manual reboot.
You decide whether that is valuable. Given how infrequently linux machines are rebooted you could be vulnerable for a long time, right?
-
Friday 22nd November 2024 19:05 GMT bazza
Re: Nothing valuable appears to be lost doing this.
Most of the times I’ve updated my Ubuntu server installations there’s been a fresh shiny kernel to reboot into anyway, and a manual reboot is required anyway. That does rather negate the value of having a tool that tries to work out whether anything else needs a reboot.
-
-
-
Sunday 24th November 2024 17:02 GMT BPontius
20/20 vision is hard through rose colored glasses
Isn't "so many eyes on the code" supposed to prevent this, is that not the Linux security super power? The 33 year old rose colored glasses used to view Linux security needs a new prescription as the reality distorting lenes and utopic tinting is no longer protecting Linux users from seeing the harsh reality.