On Thu, 15 Apr 2004 07:56 pm, Tim Nicholas wrote: > If I recall correctly it is assumed that users will not run on the > boot floppy kernels after the initial system installation. They are > expected to install a more appropriate kernel after finishing the > install. > > As such there will be no patch for the boot floppy kernel. I disagree with the generalisation. Let me tell you two little tales. 1. A few weeks ago I was building a new cluster of our servers. We operate a networked system that runs from its own network range, albeit behind a firewall. Within a few seconds of the network route being announced to the Internet, the entire range was neatly and efficiently portscanned on a range of commonly vulnerable ports. Adjacent netblocks were not scanned. i.e. someone was watching the new network range come up. In other words, people are ready to pounce, and that short gap of time after server installation and before installing patched code cannot be considered "safe". Quite the opposite. 2. I have seen highly experienced, capable, intelligent, diligent, hardworking sysadmins accidently leave a bf kernel running. It happens. In our environment, it's usually noticed within a day. The specifics of DSA479 notwithstanding; either of these would motivate me to agree with Michelle that bootfloppies should be updated, too. (I roll our own kernel and installation CDs here, and we use updated & custom packages in the debootstrap kit, so we don't have the same exposure.) - Joshua. -- Joshua Goodall <joshua@myinternet.com.au> Solutions Architect / Principal Security Architect myinternet Limited.
Attachment:
pgpbBvWtwT8g8.pgp
Description: signature