[OpenIndiana-discuss] Critical security issue notification
Edward Ned Harvey (openindiana)
openindiana at nedharvey.com
Fri Apr 11 10:35:39 UTC 2014
> From: Udo Grabowski (IMK) [mailto:udo.grabowski at kit.edu]
>
> Moral: Never run a changing system !
Heheh, I hope the irony is intentional. ;-) Like "Never get vaccines, because sometimes vaccines cause problems." ;-) It's true that sometimes updates cause problems, but there are *more* problems without. The irony of suggesting that 0.9.8 is better than 1.1.0... If anybody cares, could be easily dismantled by just reading the changelog of the openssl releases...
http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=HEAD
The latest 0.9.8 is 4 years old. Since then, I see many security vulnerabilities fixed... CVE-2010-3864, CVE-2010-4252, CVE-2010-4180, CVE-2011-0014, etc.
Point is, as soon as there's any security vulnerability discovered, it both gets *published* so the world knows about it, and it also gets patched. If you don't keep up with patches, you're literally publishing your vulnerabilities to the world, for everyone to see, and then sitting back and neglecting to patch it up.
More information about the OpenIndiana-discuss
mailing list