[PLUG] Joe Jobbed
Ronald Chmara
ron at Opus1.COM
Tue Oct 9 03:20:21 UTC 2007
On Oct 8, 2007, at 11:06 AM, Aaron Burt wrote:
> On Fri, Oct 05, 2007 at 08:11:07PM -0700, Ronald Chmara wrote:
>> I blame lazy distros, who don't keep on top of security (Cent,
>> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).
> What makes you say that?
Because every vendor-driven package manager I've used lately is 1-24
months behind the latest security and stability fixes for some (or in
a few cases, many) of its packages. I understand the whole idea of
"stable" or "tested" (QA'd, certified, whatever) packages, but
somehow, I tend to think that "this is so stable that it reliably
lets attackers exploit it every time, and we won't fix it right now
in case somebody *depends* on that feature!".... is not exactly a
desirable condition.
>> I blame lazy admins, who think that uptime is more important than
>> security upgrades (if you are running a machine a year old, maybe you
>> *deserve* to be rootkit'ed).
> Kernel vulns are rare. Remotely-exploitable ones far more so.
<http://www.google.com/custom?q=linux+kernel&sa=Google+Search&cof=S%
3Ahttp%3A%2F%2Fcve.mitre.org%3BGL%3A0%3BAH%3Aleft%3BLC%3A%23009%3BL%
3Ahttp%3A%2F%2Fcve.mitre.org%2Fimages%2Fgoogle_cvelogo.jpg%3BAWFID%
3Adf91761661c84389%3B&domains=cve.mitre.org&sitesearch=cve.mitre.org>
This year so far, I counted 6 remote kernel vulns, 14 local kernel
vulns.
I dunno what the metric for "rare" is, but if we don't find any more
remote vulns this year, that's an average of a new remotely
exploitable kernel vuln every 2 months, or, since we're in october,
that's an average of two new kernel vulns (20/10) found every month.
>> I blame users (and admins) who don't understand that a disturbingly
>> large number of "web applications" are complete and total rubbish
>> (Joomla, WordPress, phpBB, phpNuke, Plesk, phpMyAdmin, cPanel... the
>> list is insane) when it comes to security.
> PHP does make it easy for newbs to write web-apps quickly, which leads
> to big security holes. But the big-name apps are getting much better.
For this (getting better), I am thankful. Pity that their names often
had to get dragged through the mud first, but that's life.
>> So, here's a quick survey:
>> Who has a web server that was running PHP 5.2.4, openSSL 0.9.8d,
>> Apache 2.2.6, and a 2.6.22.9 kernel *before* I sent this message?
> A lot of mine is older than that. And patched.
> Do you not believe that it's possible to patch vulns in older
> versions?
Oh, it's *quite* possible, I could put out a
bind-4.0-12581768179f.rpm package right now, that was built from
source that's been patched all the way up to bind 9.5 code (without
bind 9.5 features). Sure, it's misleading, and sure, it leads to
serious confusion about what version is *actually* being run, and
sure, without side by side source compares, or a vendor just hoping
that it's users will "trust them to be current/secure", the end-user
has no idea if they're running a current version.... but I certainly
agree, it's *possible*.
I'm not exactly sure it's a *good idea*, though.
But in the spirit of making sure I dole out my beers right, so far, I
owe Jon Scully for being version complete, Ed Sawiky for dodging the
bullet by segmenting out (and thus nearly eliminating) the typical
"problem child" binaries, and if you're actually monitoring the
source patches, rather than giving a hoot about "version numbers",
I'll gladly buy you a version of the package beer-0.1a-116987121.rpm
(an early teaspoon version of beer that was actually patched up to
being to a full beer).
:)
-Bop
More information about the PLUG
mailing list