Re: DSA 438 - bad server time, bad kernel version or information delayed?
Greetings,
Am Mittwoch, 18. Februar 2004 21:31 schrieb Otavio Salvador:
> Florian Weimer <fw@deneb.enyo.de> writes:
> > Jan Lühr wrote:
> >> Does this mean, that a well known exploit was kept back for nearly three
> >> weeks, just because some odd vendors were unable to build there kernels
> >> in time?
> >
> > Yes, this is the norm. Debian hides security bugs from its users for
> > extended periods of time.
>
> Yes but this have a reason. Before upload a fix this need be available
> in all supported archs and tested since major or users install it
> trusting Debian Security Team and 'cause of this, should not fail ;-)
Well, of course you might have quite good reasons for doing so, but for me,
this is quite a good reason for changing the distri or os.
Hiding unfixed holes is one thing (and I appreciate that partly) but hiding
already fixed packages is quite astonishing and you cannot tell me you need
more than two weeks to test a simple correction.
May I ask you what local / remote root exploit-fixes are you holding back
currently? Should I switch of my sshd for the next few days or does the
current bash have an unfixed local root exploit?
This is exactly the same policy M$ have - but the point is, you could at least
inform your users.
An unknown local root exploit was one of the key parts in the debian server
compromise and we have all seen the consequences.
Surely, you can see, that I want to keep this risk as small as possible on my
servers.
Keep smiling
yanosz
Reply to: