Michael Stone wrote:
The issue isn't whether the bug is fixed (it already was) the issue is whther its publicized as a security fix with a big notice that everybody must upgrade now. Have you looked at the diffs between kernel revisions? That's a whole lotta fixed bugs. There's a human factor in the process of deciding which bugs get the full treatment and there always will be. Or do you have some better solution? Treating every bug fix as critical and making upgrade is *not* a solution because 1) people would get tired of it and not bother, not knowing whether it's a real important fix or not 2) the changes might introduce stability problems, which can themselves render the system unusable and 3) some bug fixes might introduce new security problems, leading to no net gain.
Actually this is exactly what I meant: There are known risks and unknown risks. What we can avoid are in the first place the known risks. So the question is just if we want to take these KNOWN risks or not. A discovered bug with a known exploit is a much higher risk as one without any known exploit, of course. So I have to agree, that the first kind of risks are those that have to be avoided first. As you said, we have to make a triage unless we have the resources to do it perfect (which in reality never can be achieved).
In the actual case of the hacked servers it was not just a bug, but a security problem (CAN-2003-0961) without an existing exploit.
I would never demand (and I cannot demand anything, as I could try to fix things by myself) that every bug should be fixed and that each time everyone has to update his / her kernel...
And I did not want to offend anybody with this or my previous post. These were rather philosophical thoughts that came to my mind...
Regards Marcel