how to get people to upgrade? (Re: The weak link? DNS)

• Previous message (by thread): how to get people to upgrade? (Re: The weak link? DNS)
• Next message (by thread): how to get people to upgrade? (Re: The weak link? DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Charles Sprickman wrote:
> On Wed, 26 Mar 2003 jlewis at lewis.org wrote:
> 
> 
>>One obvious problem with this would be that certain vendors prefer to
>>backport security fixes to older versions rather than test and release
>>new versions...so an insecure-looking version string may actually have
>>had fixes applied.
> 
> 
> I think you're talking about RedHat, right?  What other vendors take this
> approach?  I know that at a recent job I set out to scan for what versions
> of things were running on a bunch of boxes, and all the RedHat boxes were
> showing as running vulnerable versions of OpenSSH.
> 

Debian does as well.  Since they run 3 different primary release 
branches (stable, testing, unstable), they often backport security fixes 
onto the stable branch without introducing additional functionality from 
later revisions that would be introduced via the unstable and then 
testing branches.  For example, I'm running sendmail 8.12.3/Debian-5 
which is security patched up to sendmail version 8.12.8.  However, the 
current testing version is 8.12.6/Debian-7 and the unstable version is 
8.12.8/Debian-2.

> While personally I think this is a bogus way to manage security fixes,
> there are probably many many RedHat boxes out there running BIND.  Short
> of pointing out the error of their ways or expecting them to roll
> something into their own patches to fix the notification system, how would
> you handle that?  I mean, at least on the ssh thing, they didn't even
> change the version string one bit, not even a 'rh-p1' or something.  So as
> far as your scanner knows, and as far as the script kiddies know, you're
> running a vulnerable version.
> 

Actually, it's a very good way to run a stable environment and still get 
the benefit of fixes that address security or severe operational issues. 
  In fact, the packages with the fixes were available the morning after 
sendmail 8.12.8 was posted and the CERT advisory went out.  I had it 
installed by the afternoon.

Can't speak for how RH handles their versioning, but as you can see 
above, Debian includes the source version on which a package is based 
plus a revision to indicate additional changes specifically added for 
Debian.  It makes it very easy to keep track of what I have installed 
even if kiddie scripts think I'm running downrev versions (which I'm not).

==========
bep

• Previous message (by thread): how to get people to upgrade? (Re: The weak link? DNS)
• Next message (by thread): how to get people to upgrade? (Re: The weak link? DNS)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]