Re: Patching

[Florian Streck <streck () papafloh de>]

On Mon, Oct 20, 2003 at 10:12:29AM +0200, Alessandro Bottonelli wrote:
> A thought has been crossing my mind for a long time, I'd like to confront it 
> with the list.
>
> In the "old days" a patch and/or fix was defined as "something that closes a 
> known hole and opens ten unknown holes" :-) Yet, literature and common 
> practices keep saying we should maintain our systems and network appliances 
> up to date with the last patches / software releases.
>
> WHY should I feel safer that way? How can I tell Rev. 1.3 is any better 
> (security-wise) than Rev. 1.2 ? Is the cost (financial and others) of change 
> management worth it? If so, how can I measure such worthness?
> -- 
> Alessandro Bottonelli

You should feel safer, because the hole that the patch was made for is
already known and exploits might come up in a very short time. The holes
that are possibly introduced by the patch aren't yet known (hopefully)
and so your system will be safe for a while, until those holes are
discovered.
And, assumed a patch closes one hole, introduces at most one new hole
the number of holes decreases. I'm not very familiar with the number of
new holes that are opened through patching but I can't imagine (blessed
ignorance ;-) that patches are that bad.


Florian Streck

Attachment: _bin
Description: