| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jan 2011 13:24:24 -0500
From: Valdis.Kletnieks@...edu
To: lists@...com.org
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
Zach C <fxchip@...il.com>
Subject: Re: Getting Off the Patch
On Fri, 14 Jan 2011 15:03:10 +0100, Pete Herzog said:
> And you would be wrong because patching means changing the code. You
> know what you have and the operations are as you want them. Then you
> want to change the code to deal with some problem which requires you
> to verify your operations again to assure it is what you want. Perhaps
> you don't implement change control. Perhaps you don't do functional
> testing of operations after patching. Perhaps you choose to trust the
> same people who made the flaw in the first place. Perhaps you don't
> know your operational baseline. Perhaps you have lots of time to
> spare. All reasons why you may want to patch AND use controls. But you
> would be remiss to think that patching means only fixing a problem and
> changes nothing else.
Anybody else seen machines with 3 and 4 copies of the Java runtime on it
because they have different applications that simply fail on certain patchlevels
of the JVM? :)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists