lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20020926092949.BD6E014E4DD@borg.kabelfoon.nl>
From: vdongen at hetisw.nl (vdongen)
Subject: The last word on the Linux Slapper worm

> As I've pointed out elsewhere, patching old versions without changing
> the version number is so stupid it leaves me boggling. But I guess in
> future I'll write into advisories: "warning - your vendor may be such
> a 
> moron that you can't tell whether you are vulnerable or not by the 
> version number, so I advise building from source or switching to a 
> vendor with a clue".
I have to disagree on this, the way debian patches the current versions 
of the stable distribution is a good thing in my opinion.
Instead of upgrading the software, they backport the fixes in the 
current version.
This prevents getting new problems with compatibility and such when 
inplementing new versions.
New versions of a certain package mosty require updates of other 
packages and/or rewriting config files. which is something that 
requires lots of testing before applying on a production machine.
Which is time you mostly don't have when a problem is found.

Greetings,

Ivo van Dongen


> 
> Yeah, I know they bump some other number that if you know what you
> are 
> doing will indicate whether you are vulnerable. Obviously its
> impossible 
> for that information to get into the advisory.
> 
> In short, I don't see what you expect us to do about this, except to
> try 
> to get vendors to behave sensibly.
> 
> Cheers,
> 
> Ben.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ