Re: Debian Investigation Report after Server Compromises
On Wed, 2003-12-03 at 07:04, Paul Johnson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, Dec 02, 2003 at 09:41:15PM +0000, Oliver Elphick wrote:
> > Because there will be lots of people who haven't yet had the chance to
> > upgrade. They won't thank us for making an exploit available to every
> > would-be cracker.
>
> Why should we cater to people who can't be bothered to help
> themselves? Leaving readily compromisable systems out there does the
> net a disservice.
Suppose I go off for two weeks holiday? I'm the only one who can change
my system's kernel, but I leave it on because it is the gateway for
everyone else. The day after I leave, some idiot publishes details of
this exploit and for 13 days my system is vulnerable, before I even hear
about the problem, let alone have the chance to fix it.
There is not yet a Debian package of kernel 2.4.23, so anyone who can't
downgrade to 2.4.18 must fetch his own kernel source and build it; which
may be beyond the abilities of many of those who are vulnerable.
--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight, UK http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"What shall we then say to these things? If God be for
us, who can be against us?" Romans 8:31
Reply to: