[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When are security updates effective?

* Quoting Mikko Rapeli (mikko.rapeli@iki.fi):

> On Fri, Sep 01, 2006 at 06:56:17PM -0400, Michael Stone wrote:
> > On Sat, Sep 02, 2006 at 12:28:17AM +0300, Mikko Rapeli wrote:
> > >- can a process running vulnerable code be exploited to not show the
> > > shared libraries and other non-shared libraries and files it had opened 
> > > for reading at some point?
> > 
> > Of course it can. And that's irrelevant to the question at 
> > hand--installing a security update at that point isn't going to help.
> 
> I think it is relevant: should the effectiveness actions in general 
> be based on the host where the update was applied through lsof, package 
> dependencies provided and digitally signed by Debian, some other information
> provided and digitally signed by the Debian security team in an
> advisory or something else?

The problem here is that when the software has
been exploited already, installing the security
update doesn't fix the problem anymore.

> When an admin takes the chance and trusts lsof, that's fine. If low
> privilege process starts spamming the world he'll propably notice. But if
> making these upgrades effective is ever automated, I wouldn't like to take
> that chance.

True, but in the example from above it's too late
for that.

- Rolf
Reply to: