lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: tremaine.lea at sjrb.ca (Tremaine Lea)
Subject: The new Microsoft math:  1 patch for 14 vul
 nerabilities, MS04-011

 

> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne@...ternet.com] 
> Sent: Wednesday, April 14, 2004 2:41 PM
> To: Tremaine Lea
> Cc: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] The new Microsoft math: 1 
> patch for 14 vul nerabilities, MS04-011
> 
> 
> 
> 	[SNIP]
> 
> >
> > This merely begs the question, why do they not then release the 
> > patches as both?  A single "patch'em all" one for single users and 
> > those who can afford to implement patches this way, and a 
> broken out 
> > set of the patch that can be more thoroughly tested in larger scale 
> > environments where the big patch solution doesn't work.
> >
> 
> 
> a major contributing factor is dependencies, and as others 
> pointed out we are seeing more and more of that in the linux 
> desktop realm as well, and even in the other major unix 
> vendor realms too.  you can't often fix one little .exe or 
> .com file iin an env whence the browser acts as the kernel 
> which acts as then shell which acts as an individual 
> applicaton that replaces 20 applications once produced by 
> various vendors now bought out and sucked into the core 
> OS...but, redhat already is the 'windows' of the linux world 
> and suse is not far behind if it remains so now.
> 
> 
> Thanks,
> 
> Ron DuFresne


In cases such as you describe, obviously a single patch is preferred.  I was
referring more to instances where there are numerous fixes included in a
single patch that could as easily be made available as individual patches.

While I'm a self confessed linux fan, we also have our share of exploits and
users who don't maintain a reasonable level of security on their systems.  I
know a large number of linux users who don't subscribe to the mailing lists
for their distro and so are often unaware of a problem until I bring it up
in casual conversation ;)  Users are users, and while I like to think that
linux users tend to be more Clued (tm) than Windows users... There are
plenty of glaring exceptions.

Cheers,

Tremaine


Powered by blists - more mailing lists