Re: root compromise on debian woody
On Thu, 26 May 2005, Roberto C. Sanchez wrote:
> On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote:
> >
> > > > CAN-2005-1263 [Linux kernel ELF core dump privilege escalation]
> > > > - kernel-source-2.6.11 2.6.11 2.6.11-4
> > > > - kernel-source-2.6.8 2.6.8-16
> > > > - kernel-source-2.4.27 2.4.27-10
> >
> > always use the latest kernel ... from kernel.org ...
> >
> > and similarly with other important binaries from their
> > respective originating site
> > mta, apache, kernel, glib, make/gcc, bash, endless list
> >
>
> Sorry, but that is horrible advice. For every app you get directly from
> upstream, you become directly responsible for supporting security
> issues. I understand that even if you use the Debian packages, you are
> still ultimately responsible. Not only that, but the Debian Security
> Team does an excellent job given the resources and situation. Woody has
> versions of software that were no longer support upstream when Woody
> shipped. That makes security support really difficult, but that doesn't
> mean that someone should run out and install everything from source.
> That sort of defeatst the purpose of a distro.
sounds like all the same identical arguments can also be used for using
the originating sources instead of *.deb and the lag time between
patches is up to the debian security team or *you/me* ...
ones preferences to depend on *.debs should NOT make it better or worst
than using *.tgz files released from the original sources
i prefer to have tighter and finer controls than depend on old packages
and as the orioginal poster noted ... the original problem he had has
been fixed by the latest/greatest kernel ( *.30 ) which has been out for
almost 2 months
( 2 months to wait for updates and security patches is too long for me )
c ya
alvin
Reply to: