[PLUG] Joe Jobbed
Ronald Chmara
ron at Opus1.COM
Wed Oct 10 06:59:27 UTC 2007
On Oct 9, 2007, at 9:25 AM, Aaron Burt wrote:
> On Mon, Oct 08, 2007 at 08:20:21PM -0700, Ronald Chmara wrote:
>> On Oct 8, 2007, at 11:06 AM, Aaron Burt wrote:
>>> On Fri, Oct 05, 2007 at 08:11:07PM -0700, Ronald Chmara wrote:
>>>> I blame lazy distros, who don't keep on top of security (Cent,
>>>> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).
>>> What makes you say that?
>> Because every vendor-driven package manager I've used lately is 1-24
>> months behind the latest security and stability fixes for some (or in
>> a few cases, many) of its packages.
> Really? Do you have specific and significant examples that you could
> warn us about? Name 'n' shame is the security game.
CentOS 5, RHEL5 (etc.):
#php -v
If you're not at 5.2.4 (or a patched equivalent), you're running bad
code, with literally *thousands* of security and stability patches
omitted.
> And how do *you* deal with it? Does it work for an admin who's
> time-poor, needs to automate tasks and handles many hosts?
I walked into a nightmare on my current job, 4 distros, no standard
configure strings, no standard libraries, no documentation.
Here's what I'm rolling out (over time, big companies move slow):
One distro.
One .configure for the binaries.
.configure files based on the machine's "role" (mysql server, php
server, etc.)
..and so on.
> I've certainly come to
> appreciate distribution packages and updates, and careful
> version-control of packages and config files.
It's not the binaries, it's the controlled *process* that matters.
> <snip kernel vulns>
>> I dunno what the metric for "rare" is, but if we don't find any more
>> remote vulns this year, that's an average of a new remotely
>> exploitable kernel vuln every 2 months, or, since we're in october,
>> that's an average of two new kernel vulns (20/10) found every month.
> Sorry, I couldn't be arsed to patch together a 4-line wrapped URL.
Sorry.
It was a CVE search on 'linux kernel'.
> Were
> those potential 'sploits or actual ones with usable exploit code?
See prior emails.
> Those nines look awfully nice when one is justifying one's job, salary
> and/or budget to Those Who Sign The Checks.
"I prevented attacks with ten upgrades!"
"I had less than three minutes of downtime this year!"
Yeah, I hear you.
>> I'll gladly buy you a version of the package beer-0.1a-116987121.rpm
>> (an early teaspoon version of beer that was actually patched up to
>> being to a full beer).
>
> Budweiser? I'll pass. ;)
<insert joke about sex in a canoe>
-Bop
More information about the PLUG
mailing list