| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <13394.1295450861@localhost>
Date: Wed, 19 Jan 2011 10:27:41 -0500
From: Valdis.Kletnieks@...edu
To: cpolish@...ewest.net
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Getting Off the Patch
On Wed, 19 Jan 2011 07:08:54 PST, cpolish@...ewest.net said:
> Here's another factor to consider: with $VENDOR's kit you can't
> get support unless all the released patches are in place.
Equally bad - $APP_VENDOR only certifies their product against specific
outdated patch levels of $OS_VENDOR. For a while, we had a printing system
in-house that under the covers was NT4.0 (in a day when Win2K had already been
out for a while). Trying to patch it was futile, as it would (a) usually break
the print software, (b) render it unsupported by the vendor and (c) they
updated the print software by re-imaging the whole thing, so you'd end up back
at the same vulnerable release and patchlevel of NT4.0. (The vendor's
intransigence for not supporting current OS releases ended up with us buying
another vendor's printer when it came to replacement time, but that took
several years of lack of fun).
We were also stuck with an instance of Oracle 8.0 when everything else was at
10.0 because a package vendor hadn't certified anything past 8.0. That wasn't
much fun either, and the DBAs went out to do some major celebrating when 10.0
finally got certified. :)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists