nanog mailing list archives

RE: update

From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Sat, 27 Sep 2014 22:57:53 -0600


This is another case where a change was made.

If the change had not been made (implement the new kernel) then the vulnerability would not have been introduced.

The more examples people think they find, the more it proves my proposition.  Vulnerabilities can only be introduced or 
removed through change.  If there is no change, then the vulnerability profile is fixed.

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of
Valdis.Kletnieks () vt edu
Sent: Saturday, 27 September, 2014 22:47
To: Jay Ashworth
Cc: NANOG
Subject: Re: update

On Sat, 27 Sep 2014 21:10:28 -0400, Jay Ashworth said:

I haven't an example case, but it is theoretically possible.


The sendmail setuid bug, where it failed to check the return code
because it was *never* possible for setuid from root to non-root to
fail...
... until the Linux kernel grew new features.

Current thread:

Re: update, (continued)
- - - Re: update Jim Gettys (Sep 26)
    - RE: update Keith Medcalf (Sep 26)
    - Re: update Jay Ashworth (Sep 27)
    - Re: update Jimmy Hess (Sep 27)
    - RE: update Keith Medcalf (Sep 27)
    - Re: update Kenneth Finnegan (Sep 28)
    - RE: update Keith Medcalf (Sep 27)
    - Re: update Valdis . Kletnieks (Sep 28)
    - RE: update Keith Medcalf (Sep 27)
    - Re: update Valdis . Kletnieks (Sep 27)
    - RE: update Keith Medcalf (Sep 27)
    - Re: update Jimmy Hess (Sep 28)
    - RE: update Keith Medcalf (Sep 28)
    - Re: update Jay Ashworth (Sep 28)
    - Re: update Barry Shein (Sep 29)
    - Re: update Valdis . Kletnieks (Sep 29)
    - Re: update Jay Ashworth (Sep 28)
    - Re: update William Herrin (Sep 27)
    - RE: update Keith Medcalf (Sep 28)
    - Re: update Valdis . Kletnieks (Sep 28)
    - RE: update Keith Medcalf (Sep 28)

(Thread continues...)