TheStandard: Reading Red Hat's Piranha ProblemMay 01, 2000, 11:30 (13 Talkback[s])
(Other stories by Elinor Abreu)
"Security holes are not uncommon in the software industry. But a recent vulnerability discovered in a Red Hat (RHAT) Linux product has refueled the debate over the security of open-source software."
"Internet Security Systems' research division discovered in mid-April that Piranha, a collection of utilities used to administer the Linux Virtual Server in the latest version of Red Hat Linux, ships with a default password. If the password is not reset, a malicious hacker could use it to make changes to Web pages on the server and possibly bootstrap to other servers on the network that might have vulnerabilities, says Chris Rouland, director of the ISS research division that calls itself the 'X-Force.'"
"ISS has since helped Red Hat fix the problem. The default password was 'simply overlooked in quality assurance and not removed,' Rouland says, adding that such oversights illustrate a flaw in the security model of open-source software, in which many independent developers adapt and add to the product's code."
"'There's limited quality assurance in the open-source environment,' says Rouland, 'because open-source software is basically a bunch of peoples' hobby.'"
0 Talkback[s] (click to add your comment)