Re: ssh vulernability
On Tue, Oct 23, 2001 at 01:19:58PM +0200, Philipp Schulte wrote:
> On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote:
>
> > Just as you automate everything you can, in the name of laziness, you can
> > wait until stuff falls into your lap instead of going out and fixing it
> > yourself, if the problem is not at all likely to lead to any real problems
> > for your system.
>
> And where is the relation to "security"?
If there is no real security risk to your system (e.g. you weren't using
the feature that the problem is in), then you can wait for the security team
to handle it and upload a new package. If you have multiple layers of
defence, and the vulnerability only takes out one of them, then you can wait
a while instead of fixing it yourself. (e.g. with this ssh vuln., you would
only be at real risk if attackers actually had the necessary keys, but not
access to an IP that you allowed logins from. If you were pretty sure that
nobody had stolen your keys, you wouldn't really have to worry about the
vuln.)
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: