[PLUG] Joe Jobbed

Aaron Burt aaron at bavariati.org
Mon Oct 8 18:06:55 UTC 2007


On Fri, Oct 05, 2007 at 08:11:07PM -0700, Ronald Chmara wrote:
> I blame lazy distros, who don't keep on top of security (Cent,  
> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).

What makes you say that?

> I blame lazy admins, who think that uptime is more important than  
> security upgrades (if you are running a machine a year old, maybe you  
> *deserve* to be rootkit'ed).

Kernel vulns are rare.  Remotely-exploitable ones far more so.

> I blame users (and admins) who don't understand that a disturbingly  
> large number of "web applications" are complete and total rubbish  
> (Joomla, WordPress, phpBB, phpNuke, Plesk, phpMyAdmin, cPanel... the  
> list is insane) when it comes to security.

PHP does make it easy for newbs to write web-apps quickly, which leads
to big security holes.  But the big-name apps are getting much better.  

> So, here's a quick survey:
> Who has a web server that was running PHP 5.2.4, openSSL 0.9.8d,  
> Apache 2.2.6, and a 2.6.22.9 kernel *before* I sent this message?

A lot of mine is older than that.  And patched.
Do you not believe that it's possible to patch vulns in older versions?




More information about the PLUG mailing list