[57023] in North American Network Operators' Group
RE: how to get people to upgrade? (Re: The weak link? DNS)
daemon@ATHENA.MIT.EDU (Charles Sprickman)
Wed Mar 26 16:58:35 2003
Date: Wed, 26 Mar 2003 16:57:28 -0500 (EST)
From: Charles Sprickman <spork@inch.com>
To: jlewis@lewis.org
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0303261244110.12785-100000@redhat1.mmaero.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 26 Mar 2003 jlewis@lewis.org wrote:
> One obvious problem with this would be that certain vendors prefer to
> backport security fixes to older versions rather than test and release
> new versions...so an insecure-looking version string may actually have
> had fixes applied.
I think you're talking about RedHat, right? What other vendors take this
approach? I know that at a recent job I set out to scan for what versions
of things were running on a bunch of boxes, and all the RedHat boxes were
showing as running vulnerable versions of OpenSSH.
While personally I think this is a bogus way to manage security fixes,
there are probably many many RedHat boxes out there running BIND. Short
of pointing out the error of their ways or expecting them to roll
something into their own patches to fix the notification system, how would
you handle that? I mean, at least on the ssh thing, they didn't even
change the version string one bit, not even a 'rh-p1' or something. So as
far as your scanner knows, and as far as the script kiddies know, you're
running a vulnerable version.
Charles
> ----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> System Administrator | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
