lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca8204071212286cb36191@mail.gmail.com>
From: avivra at gmail.com (Aviv Raff)
Subject: Is Mozilla's "patch" enough?

On Mon, 12 Jul 2004 21:02:51 +0200, Florian Weimer <fw@...eb.enyo.de> wrote:
> * Aviv Raff:
> 
> > On Mon, 12 Jul 2004 20:34:44 +0200, Florian Weimer <fw@...eb.enyo.de> wrote:
> >> * Aviv Raff:
> >>
> >> > Security patches shouldn't be overridden unless intended too (i.e
> >> > uninstalled).
> >>
> >> This is not standard industry practice.  Especially if a patch might
> >> break previously working configuration, I completely agree that it's
> >> correct.
> >
> > That's why there should be a way to uninstall the patch, as I wrote.
> 
> This requires that you have individual patches for each vulnerability,
> something that is often practically impossible (because of
> combinatoric explosion) and is a support nightmare if it is possible.

That's why from time to time there should be a cumulative patch (aka
Service Pack).

> Those vendors supplying source code are far better off in this area.
> You simply pick the parts you like and recompile your own version.

You really think that those people who don't know how to use the
configuration files, will know how to recompile their own version?


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ