how to get people to upgrade? (Re: The weak link? DNS)
Bruce Pinsky
bep at whack.org
Wed Mar 26 23:14:23 UTC 2003
Charles Sprickman wrote:
> On Wed, 26 Mar 2003 jlewis at lewis.org wrote:
>
>
>>One obvious problem with this would be that certain vendors prefer to
>>backport security fixes to older versions rather than test and release
>>new versions...so an insecure-looking version string may actually have
>>had fixes applied.
>
>
> I think you're talking about RedHat, right? What other vendors take this
> approach? I know that at a recent job I set out to scan for what versions
> of things were running on a bunch of boxes, and all the RedHat boxes were
> showing as running vulnerable versions of OpenSSH.
>
Debian does as well. Since they run 3 different primary release
branches (stable, testing, unstable), they often backport security fixes
onto the stable branch without introducing additional functionality from
later revisions that would be introduced via the unstable and then
testing branches. For example, I'm running sendmail 8.12.3/Debian-5
which is security patched up to sendmail version 8.12.8. However, the
current testing version is 8.12.6/Debian-7 and the unstable version is
8.12.8/Debian-2.
> While personally I think this is a bogus way to manage security fixes,
> there are probably many many RedHat boxes out there running BIND. Short
> of pointing out the error of their ways or expecting them to roll
> something into their own patches to fix the notification system, how would
> you handle that? I mean, at least on the ssh thing, they didn't even
> change the version string one bit, not even a 'rh-p1' or something. So as
> far as your scanner knows, and as far as the script kiddies know, you're
> running a vulnerable version.
>
Actually, it's a very good way to run a stable environment and still get
the benefit of fixes that address security or severe operational issues.
In fact, the packages with the fixes were available the morning after
sendmail 8.12.8 was posted and the CERT advisory went out. I had it
installed by the afternoon.
Can't speak for how RH handles their versioning, but as you can see
above, Debian includes the source version on which a package is based
plus a revision to indicate additional changes specifically added for
Debian. It makes it very easy to keep track of what I have installed
even if kiddie scripts think I'm running downrev versions (which I'm not).
==========
bep
More information about the NANOG
mailing list