The writeup is gonna be fun, not just for the technical details of it, not just because this RCE was there for more than a decade, but as a freaking example on how NOT to handle disclosures.
Like, I write software, I get it, I get how someone can be defensive about the stuff they write, I really do. But holy sh, if your software has been running on everything for the last 20 years, you have a freaking responsibility to own and fix your bugs instead of using your energies to explain to the poor bastard that reported them how wrong he is, even tho he’s literally giving you PoC after PoC and systematically proving your assumptions about your own software wrong at every comment. This is just insane.
Where is the link to the actual CVE, and what program is affected?
This is just a pre-announcement to drum up some hype. Any actionable info isn’t out there yet. The original tweet got taken down, I’m guessing because of backlash in not actually giving info people can do something with.
But given that evilsocket is a dev for networking focused programs, I’m guessing it’s something in the network stack.
1 Like
Could be something that is just too bad to be released.
At any rate, keep all your Linuxes up to date 
I mean if it’s a CVSS 9.9 it’s gonna be on the level of zero click RCE to root/admin lol. The norm is definitely not to give any concrete details until vendors have a fix ready unless they’re being fuck heads about it.
This probably relies on some weird, nonstandard config, otherwise it’d be a 10. These vulnerabilities that affect “ALL” systems are usually oversold.
edit: yeah
1 Like
1 Like
By the way, CERT’s VINCE either has a backdoor, or an inside leak, or has zero vetting on who they add to a disclosure, because there’s been a leak of the exact markdown report that I only shared there, including the exploit.
lol this almost seems more concerning than the actual report
1 Like
And of course I was 100% correct that this is no big deal. If anyone wants a real analysis:
Still can’t wait to see all the sensational clickbait headlines coming out on various “news” sources that repeat what the finder claims at face value with 0 fact-checking for the rest of the week 
1 Like
Well, Ubuntu did patch up on the day of disclosure. They aren’t bad either. But Red hat has this, “Prevention is better than cure” stuff almost in every CVE, I have come across or read.
No wonder why PG recommends it. That doesn’t mean Ubuntu is bad, they did release a patch on the same day of disclosure. Just saying.