how to get people to upgrade? (Re: The weak link? DNS)

Charles Sprickman spork at inch.com
Wed Mar 26 21:57:28 UTC 2003


On Wed, 26 Mar 2003 jlewis at lewis.org wrote:

> One obvious problem with this would be that certain vendors prefer to
> backport security fixes to older versions rather than test and release
> new versions...so an insecure-looking version string may actually have
> had fixes applied.

I think you're talking about RedHat, right?  What other vendors take this
approach?  I know that at a recent job I set out to scan for what versions
of things were running on a bunch of boxes, and all the RedHat boxes were
showing as running vulnerable versions of OpenSSH.

While personally I think this is a bogus way to manage security fixes,
there are probably many many RedHat boxes out there running BIND.  Short
of pointing out the error of their ways or expecting them to roll
something into their own patches to fix the notification system, how would
you handle that?  I mean, at least on the ssh thing, they didn't even
change the version string one bit, not even a 'rh-p1' or something.  So as
far as your scanner knows, and as far as the script kiddies know, you're
running a vulnerable version.

Charles

> ----------------------------------------------------------------------
>  Jon Lewis *jlewis at lewis.org*|  I route
>  System Administrator        |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>



More information about the NANOG mailing list