[PLUG] Joe Jobbed

Ronald Chmara ron at Opus1.COM
Wed Oct 10 06:59:27 UTC 2007


On Oct 9, 2007, at 9:25 AM, Aaron Burt wrote:
> On Mon, Oct 08, 2007 at 08:20:21PM -0700, Ronald Chmara wrote:
>> On Oct 8, 2007, at 11:06 AM, Aaron Burt wrote:
>>> On Fri, Oct 05, 2007 at 08:11:07PM -0700, Ronald Chmara wrote:
>>>> I blame lazy distros, who don't keep on top of security (Cent,
>>>> Debian, Ubuntu, RHEL... the whole lot of 'em are to blame).
>>> What makes you say that?
>> Because every vendor-driven package manager I've used lately is 1-24
>> months behind the latest security and stability fixes for some (or in
>> a few cases, many) of its packages.
> Really?  Do you have specific and significant examples that you could
> warn us about?  Name 'n' shame is the security game.

CentOS 5, RHEL5 (etc.):
#php -v

If you're not at 5.2.4 (or a patched equivalent), you're running bad  
code, with literally *thousands* of security and stability patches  
omitted.

> And how do *you* deal with it?  Does it work for an admin who's
> time-poor, needs to automate tasks and handles many hosts?

I walked into a nightmare on my current job, 4 distros, no standard  
configure strings, no standard libraries, no documentation.
Here's what I'm rolling out (over time, big companies move slow):
One distro.
One .configure for the binaries.
.configure files based on the machine's "role" (mysql server, php  
server, etc.)
..and so on.

> I've certainly come to
> appreciate distribution packages and updates, and careful
> version-control of packages and config files.

It's not the binaries, it's the controlled *process* that matters.

> <snip kernel vulns>
>> I dunno what the metric for "rare" is, but if we don't find any more
>> remote vulns this year, that's an average of a new remotely
>> exploitable kernel  vuln every 2 months, or, since we're in october,
>> that's an average of two new kernel vulns (20/10) found every month.
> Sorry, I couldn't be arsed to patch together a 4-line wrapped URL.

Sorry.

It was a CVE search on 'linux kernel'.

> Were
> those potential 'sploits or actual ones with usable exploit code?

See prior emails.

> Those nines look awfully nice when one is justifying one's job, salary
> and/or budget to Those Who Sign The Checks.

"I prevented attacks with ten upgrades!"
"I had less than three minutes of downtime this year!"

Yeah, I hear you.

>> I'll gladly buy you a version of the package beer-0.1a-116987121.rpm
>> (an early teaspoon version of beer that was actually patched up to
>> being to a full beer).
>
> Budweiser?  I'll pass. ;)

<insert joke about sex in a canoe>

-Bop




More information about the PLUG mailing list