Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root (bleepingcomputer.com)
14 points by gregjor 9 months ago | hide | past | favorite | 7 comments


Why does a critical utility like this need Python, Ruby, and Perl? Scripting languages intended for applications development, with their interpreters and libraries and dependencies, expand the attack surface beyond anyone's ability to consider all of the security holes.


When you upgrade a Python module to fix a security vulnerability, you need to restart the Python processes that loaded it. So needrestart supports scanning all processes on the system to see if they are Python processes and if they loaded the Python modules that were upgraded. Same goes for Ruby and Perl, microcode and more.

The alternative approach is to just reboot after every upgrade like on Windows. That can be disruptive in some situations so needrestart was created to only restart the things that need restarting.


I see. I question the wisdom of using Python, Ruby, Perl etc. for system-level utilities in the first place but that train left the station a long time ago.


It still sounds like duct tape to me. An OS should know the dependencies of each service without having to perform complex dynamic scanning to find out. Is this information not already in dpkg?


You can't know that all services are running apt installed code, or if they are whether they were restarted already, and the dependencies don't encode what each binary loads at runtime. So scanning processes is the correct thing to do.


> So scanning processes is the correct thing to do.

Most solutions in engineering involve a trade-off. Clearly this solution trades simplicity for complexity and multiple CVEs. An OS could utilise a known static configuration as described by its packaging system, for a much simpler solution. It could disallow running services any other way.


The article doesn't mention that the security vulnerabilities are inherited from Debian, so Debian users are also affected.

The article is incorrect in implying that users must either upgrade to needrestart 3.8 or adjust configuration to mitigate. If you're using Debian or Ubuntu, the correct thing to is to upgrade to the distribution's already patched version by using the usual "apt update && apt upgrade". This won't take you up to 3.8 but will fix the issue, as is the point of stable distribution releases.

On Ubuntu, this is automatic since unattended-upgrades installs security upgrades nightly by default.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: