| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: vdongen at hetisw.nl (vdongen) Subject: The last word on the Linux Slapper worm > As I've pointed out elsewhere, patching old versions without changing > the version number is so stupid it leaves me boggling. But I guess in > future I'll write into advisories: "warning - your vendor may be such > a > moron that you can't tell whether you are vulnerable or not by the > version number, so I advise building from source or switching to a > vendor with a clue". I have to disagree on this, the way debian patches the current versions of the stable distribution is a good thing in my opinion. Instead of upgrading the software, they backport the fixes in the current version. This prevents getting new problems with compatibility and such when inplementing new versions. New versions of a certain package mosty require updates of other packages and/or rewriting config files. which is something that requires lots of testing before applying on a production machine. Which is time you mostly don't have when a problem is found. Greetings, Ivo van Dongen > > Yeah, I know they bump some other number that if you know what you > are > doing will indicate whether you are vulnerable. Obviously its > impossible > for that information to get into the advisory. > > In short, I don't see what you expect us to do about this, except to > try > to get vendors to behave sensibly. > > Cheers, > > Ben.
Powered by blists - more mailing lists