[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sarge & Sid security

Cliff Flood wrote:
> How do people feel about running Sarge or Sid facing the Internet 
> considering it doesn't get security updates as promptly as Woody? I'm 
> more concerned about daemons and remote exploitation than local issues.
> What, in the past, have been the response times for updated patched 
> OpenSSH packages, for example, to make it to either unstable or testing?

Well just as an example, the last serious ssh security hole, bug
#281595, was discovered in April 2003, didn't hit the Debian bts until
November 2004, and was fixed in sid 12 days later, and probably sarge 2
days after that. Stable is still vulnerable. Perhaps that's a bad
example, it was a minor hole that slipped through the cracks until a
recent security audit of sarge for old holes. 

The one before that, CAN-2003-0693, was made public on 16 sep 03 and
fixed in stable on and in unstable on the same day. I don't have records
but I'd assume the fix hit sarge 2 days later.

Hope that helps, though I doubt it. I will say that I doubt that many
people have devoted the time to looking at the rates security holes are
fixed in stable, unstable, and testing to sensibly compare them. Much of
the received wisdom on this topic is out of date or wrong.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: