| ▲ | jzb 4 hours ago |
| This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS. |
|
| ▲ | oskarkk 3 hours ago | parent | next [-] |
| 14.3 seems to come from some Red Hat-specific GCC version, which can be reported as "gcc (GCC) 14.3.1 20250617 (Red Hat 14.3.1-2)". See these random examples I found by googling: https://github.com/anthropics/claude-code/issues/40741 (gcc version "Red Hat 14.3" included in system version at the bottom) https://docs.oracle.com/en/database/oracle/tuxedo/22/otxig/s... |
|
| ▲ | bryanlarsen 4 hours ago | parent | prev | next [-] |
| On the same line it says kernel version 6.12.0-124.45.1.el10_1. Which is RHEL 10. This is the kind of typo that humans make -- the hard to type numbers are accurate because they're cut and pasted, but the "easy" numbers have errors because they're not cut and pasted. |
|
| ▲ | tylerni7 3 hours ago | parent | prev | next [-] |
| ugh sorry should be fixed. There was some scrambling to get more info together to explain the issue (and yes, obviously marketing), so there are some minor mistakes. Thanks for pointing it out! |
| |
| ▲ | justinclift an hour ago | parent [-] | | > obviously marketing Why marketing though? | | |
| ▲ | tylerni7 an hour ago | parent | next [-] | | because we're a company and we want to make money to continue to fund cool research, and help our customers secure their software :) | |
| ▲ | Sohcahtoa82 an hour ago | parent | prev [-] | | Resume-driven development | | |
| ▲ | IgorPartola 39 minutes ago | parent [-] | | I would rather people who find this kind of stuff pad their resumes and get coolness points on HN than sell this exploit on the black market. But your priorities may be different and you might prefer they do the latter. |
|
|
|
|
| ▲ | rdtsc 4 hours ago | parent | prev [-] |
| > This is amazing. Page says it works on RHEL 14.3, which doesn’t exist. Current RHEL is 10.x, this must’ve been done in a TARDIS. Indeed. "Distributions we directly verified: RHEL 14.3". Directly verified by me to be AI slop (the release page at least). https://access.redhat.com/articles/red-hat-enterprise-linux-... > Talk to our security experts (at the bottom of the page) I have a sneaking suspicion his first name is Claude. Don't get me wrong though, he is pretty good I hear. |
| |
| ▲ | tptacek 4 hours ago | parent | next [-] | | I have no idea about this page, but Theori/Xint has a staff of veterans, they are a serious thing. | | |
| ▲ | rdtsc 4 hours ago | parent | next [-] | | The fact that they have no idea RHEL 14, probably the most well known enterprise distro, is not a thing, and yet they "directly verified on it" casts some doubt on seriousness. | | |
| ▲ | tptacek 4 hours ago | parent | next [-] | | I don't know what to tell you. I'm sure you have them dead to rights on Linux distro knowledge reliability, but the exploit here is real, and the vulnerability researchers they have on staff are also real. Xint is not generally a slop factory. It's ironic that the one thing LLMs can't do reliably in this space is "write copy for humans" (I don't trust them for that either). | | |
| ▲ | JeremyNT 2 hours ago | parent | next [-] | | Honestly I feel like a coding agent review would have caught this issue. I guess if you want to vibe-code your branded CVE web site it's not a bad idea to at least mash /review at the end. Kind of funny to do something impressive and then ignore the details on the presentation, but perhaps that's not uncommon for security researchers? | |
| ▲ | 3 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | stackghost 4 hours ago | parent | prev | next [-] | | Is it more likely they have no idea what version RHEL is on, or that it's just a typo? | |
| ▲ | 4 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | 0x0 3 hours ago | parent | prev [-] | | Dropping a public exploit on github before distros have patches available isn't very cool, or is that just how veterans roll these days? | | |
| ▲ | tptacek 2 hours ago | parent | next [-] | | There is no one accepted set of norms on disclosure. Any strategy you take, someone will criticize. | |
| ▲ | akerl_ 2 hours ago | parent | prev | next [-] | | I don’t know if “cool” is the word I’d use, but there isn’t an established “right” way to disclose a vulnerability that you found outside of a contracted security review or other employment/contracting arrangement. | |
| ▲ | john_strinlai an hour ago | parent | prev [-] | | mainline was patched a month ago |
|
| |
| ▲ | 4 hours ago | parent | prev [-] | | [deleted] |
|
