[OpenIndiana-discuss] Critical security issue notification
Peter Tribble
peter.tribble at gmail.com
Fri Apr 11 11:03:33 UTC 2014
On Fri, Apr 11, 2014 at 11:35 AM, Edward Ned Harvey (openindiana) <
openindiana at nedharvey.com> wrote:
> > From: Udo Grabowski (IMK) [mailto:udo.grabowski at kit.edu]
> >
> > Moral: Never run a changing system !
>
> Heheh, I hope the irony is intentional. ;-) Like "Never get vaccines,
> because sometimes vaccines cause problems." ;-) It's true that sometimes
> updates cause problems, but there are *more* problems without.
Not necessarily. Above a certain level of maturity in software, it's
often the case that the primary vector for newly found bugs is new
code changes - whether that be for fixing other bugs or for new
features. Both openssl and bind are arguably in this category.
> The irony of suggesting that 0.9.8 is better than 1.1.0... If anybody
> cares, could be easily dismantled by just reading the changelog of the
> openssl releases...
> http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=HEAD
>
> The latest 0.9.8 is 4 years old.
Nope. 0.9.8y is about a year old.
> Since then, I see many security vulnerabilities fixed... CVE-2010-3864,
> CVE-2010-4252, CVE-2010-4180, CVE-2011-0014, etc.
>
All of which are fixed in the current 0.9.8 release. (And fixed in OI.)
> Point is, as soon as there's any security vulnerability discovered, it
> both gets *published* so the world knows about it, and it also gets
> patched. If you don't keep up with patches, you're literally publishing
> your vulnerabilities to the world, for everyone to see, and then sitting
> back and neglecting to patch it up.
>
--
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
More information about the OpenIndiana-discuss
mailing list