Linux Kernel e1000 Ethernet Card Driver Buffer Overflow Vulnerability

SecurityFocus.com ^ | May 14, 2004 | SecurityFocus.com

[Bush2000]

Just trying to be helpful, Linux kneepadders...

[old-ager]

Sure ;-)

[B Knotts]

Of course, being the fair guy that you are, you would point out that this only affects people who are using this particular device.

I don't have any of these. The only gigabyte ethernet I have is Broadcom.

[byteback]

LINUX is unsecure? I'm shocked!

[N3WBI3]

I notice that kernel 2.6 is not affected, not that you would be sharp enough to notice..

[inflation]

What is you take on the CEO of microsoft saying that tech people in the US should make no more than 55,000 per year?

[Libloather]

Sher glad I use Windows...

[N3WBI3]

An analysis of the issue...

If you are running GB Ethernet cards and kernel 2.4 there is a potential bufferflow. It has been released:

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com mailto:vuldb@securityfocus.com>.

Way to post more than a hundred lines and leave out the best part

And wait it gets better..

not vulnerable Linux kernel 2.4.27 -pre2 Thats right kiddies the fix is already out there.. The vulnerability was discovered and fixed in the same day, by the same person.

[N3WBI3]

Can you please point me to a post where someone says there are no vulnerabilities in linux? please, I know yore really concerned about all the people saying there are no bugs in the Kernel... Please let me know..

[Bush2000]

Of course, being the fair guy that you are, you would point out that this only affects people who are using this particular device.

Oh, yeahhhh. The E1000 is such a rare Ethernet card /SARCASM

[seastay]

"What is you take on the CEO of microsoft saying that tech people in the US should make no more than 55,000 per year?"

no wonder there are so many security holes, shows the management just doesn't care to pay for quality

[Bush2000]

I notice that kernel 2.6 is not affected, not that you would be sharp enough to notice..

Thank God that the entire world is running the 2.6 kernel. /SARCASM

[Bush2000]

Thats right kiddies the fix is already out there.. The vulnerability was discovered and fixed in the same day, by the same person.

Thank God that everyone in the world will simultaneously upgrade to the patch -- and nobody will fail to apply the patch /SARCASM

[inflation]

http://www.theinquirer.net/?article=15926

By INQUIRER staff: Saturday 15 May 2004, 18:49
EARLIER THIS week Microsoft CEO Steve Ballmer apparently suggested that the way to keep American jobs was to lower US professionals' pay to $55,000 - according to a report here.

That will help jobs stay in America, Ballmer seems to be implying, faced with competition from outsourced workers who will accept much less.

According to this report on Cnet last September, Steve B and Bill G each got $551,667 in salary and $313,447 in bonuses last year.

Neither got any additional stock options then, but each already has plenty of shares in MSFT.

Perhaps Steve should start by cutting his own salary by a tenth, as he is undoubtedly a US professional, and set that as the benchmark for the rest of the thousands of employees at Microsoft?

No one has yet matched HP's chutzpah in helping to engineer a plan which involved laying off people in North America and then trying to re-hire them at a fraction of what they were earning before.

But maybe it's worth contemplating Steve. An outsourced CEO is an idea that hasn't yet been tried and it would certainly cut down on expenses. µ

[inflation]

The installed base of Gigabit Ethernet cards isn't that large. Perhaps you are thinking of NE2000 nics?

[John Lenin]

LOL. Linux, it's the hackers choice !

[N3WBI3]

Lets see what is Microsofts time between a vulnerability announcement and a fix? usually on the order of three weeks? This one was less than 24 hours. This instance demonstrates the strenght of open source development *code review*

Everyone in the world does not have to update, only those running gig ethernet card in their servers, this eliminates desktops and low end servers.

[Bush2000]

Standard OSS tactic: "Hey, let's change the subject to Microsoft."

[Bush2000]

The installed base of Gigabit Ethernet cards isn't that large

"The Great Oz has spoken! Go home, all of you billowing bags of bovine fodder! Nothing to see here."

[inflation]

No, it isn't. It shows the mindset of the company that you love to defend. I use what tool is best for the job at hand, is that wrong in your opinion?