[OpenIndiana-discuss] Critical security issue notification

Peter Tribble peter.tribble at gmail.com
Fri Apr 11 11:03:33 UTC 2014


On Fri, Apr 11, 2014 at 11:35 AM, Edward Ned Harvey (openindiana) <
openindiana at nedharvey.com> wrote:

> > From: Udo Grabowski (IMK) [mailto:udo.grabowski at kit.edu]
> >
> > Moral: Never run a changing system !
>
> Heheh, I hope the irony is intentional.  ;-)  Like "Never get vaccines,
> because sometimes vaccines cause problems."   ;-)  It's true that sometimes
> updates cause problems, but there are *more* problems without.


Not necessarily. Above a certain level of maturity in software, it's
often the case that  the primary vector for newly found bugs is new
code changes - whether that be for fixing other bugs or for new
features. Both openssl and bind are arguably in this category.


>  The irony of suggesting that 0.9.8 is better than 1.1.0...  If anybody
> cares, could be easily dismantled by just reading the changelog of the
> openssl releases...
> http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=HEAD
>
> The latest 0.9.8 is 4 years old.


Nope. 0.9.8y is about a year old.


>  Since then, I see many security vulnerabilities fixed... CVE-2010-3864,
> CVE-2010-4252, CVE-2010-4180, CVE-2011-0014,  etc.
>

All of which are fixed in the current 0.9.8 release. (And fixed in OI.)


> Point is, as soon as there's any security vulnerability discovered, it
> both gets *published* so the world knows about it, and it also gets
> patched.  If you don't keep up with patches, you're literally publishing
> your vulnerabilities to the world, for everyone to see, and then sitting
> back and neglecting to patch it up.
>

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/


More information about the OpenIndiana-discuss mailing list