The last word on the Linux Slapper worm

[vdongen () hetisw nl (vdongen)]

> As I've pointed out elsewhere, patching old versions without changing
> the version number is so stupid it leaves me boggling. But I guess in
> future I'll write into advisories: "warning - your vendor may be such
> a 
> moron that you can't tell whether you are vulnerable or not by the 
> version number, so I advise building from source or switching to a 
> vendor with a clue".
I have to disagree on this, the way debian patches the current versions 
of the stable distribution is a good thing in my opinion.
Instead of upgrading the software, they backport the fixes in the 
current version.
This prevents getting new problems with compatibility and such when 
inplementing new versions.
New versions of a certain package mosty require updates of other 
packages and/or rewriting config files. which is something that 
requires lots of testing before applying on a production machine.
Which is time you mostly don't have when a problem is found.

Greetings,

Ivo van Dongen


> Yeah, I know they bump some other number that if you know what you
> are 
> doing will indicate whether you are vulnerable. Obviously its
> impossible 
> for that information to get into the advisory.
>
> In short, I don't see what you expect us to do about this, except to
> try 
> to get vendors to behave sensibly.
>
> Cheers,
>
> Ben.