Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

The last word on the Linux Slapper worm

From: ben () algroup co uk (Ben Laurie)
Date: Thu, 26 Sep 2002 21:03:55 +0100
vdongen wrote:

As I've pointed out elsewhere, patching old versions without changing
the version number is so stupid it leaves me boggling. But I guess in
future I'll write into advisories: "warning - your vendor may be such
a 
moron that you can't tell whether you are vulnerable or not by the 
version number, so I advise building from source or switching to a 
vendor with a clue".


I have to disagree on this, the way debian patches the current versions 
of the stable distribution is a good thing in my opinion.
Instead of upgrading the software, they backport the fixes in the 
current version.
This prevents getting new problems with compatibility and such when 
inplementing new versions.
New versions of a certain package mosty require updates of other 
packages and/or rewriting config files. which is something that 
requires lots of testing before applying on a production machine.
Which is time you mostly don't have when a problem is found.


Please pay attention. I am not complaining about the practice of 
backporting fixes, which I wholly support. What I am complaining about 
is doing it in such a way that both the user and (particularly) the 
original author of the software cannot tell that it has been done.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Previous By Date Next
Previous By Thread Next

Current thread: