Full Disclosure mailing list archives
Re: No Subject (re: openssh exploit code?)
From: "Kenneth R. van Wyk" <ken () vanwyk org>
Date: Tue, 21 Oct 2003 17:26:18 -0400
On Tuesday 21 October 2003 17:07, Robert Ahnemann wrote:
I flip to the local radar and get some sort of proof that there might be a thunderstorm coming. Talk is cheap (as was said), so its up to the admin to verify if A) there is a real threat B) the threat applies to your systems C) the threat damage is worth the damage of 'unscheduled downtime'
FWIW, I agree that these are all reasonable steps to take in order to help prioritize whether (exiting the analogy...) you should apply the patch to YOUR systems. There's a couple other complicating factors that I haven't seen mentioned in this thread, though -- apologies if I've overlooked them: 1) I've seen patches break applications. When applying a patch to a production app server, it's a good career-stabilizing move to test the patch to ensure that, if NOTHING else, the app still works once the patch is in place. 2) Change management in some tightly controlled production data centers can be extreme. This is particularly true for environments in which change management has regulatory oversight -- such as in the pharmaceutical industry, where servers have to be FDA certified (in the USA, at least). That is, in some cases, even if you KNOW that the storm is coming and it is highly likely to hit you, you cannot take the corrective action that you think is called for. In cases like this, it may be prudent to look for other workarounds to protect those production systems... There's a lot of variables and complexity to the patch-and-chase process. If were only so simple to run {windows update|apt-get upgrade|up2date|...} on all of our systems, we would have figured it out by now. IMHO. Cheers, Ken van Wyk http://www.krvw.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: No Subject (re: openssh exploit code?), (continued)
- Re: No Subject (re: openssh exploit code?) Richard Massa (Oct 21)
- RE: No Subject (re: openssh exploit code?) Ron DuFresne (Oct 22)
- No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Dan Wilder (Oct 21)
- Re: No Subject (re: openssh exploit code?) Helmut Springer (Oct 23)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Robert Ahnemann (Oct 21)
- RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
- RE: No Subject (re: openssh exploit code?) V.O. (Oct 21)
- Re: No Subject (re: openssh exploit code?) Kenneth R. van Wyk (Oct 21)
- RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Generated by a PseudoRandom Number Generator (Oct 21)