On Thu, Jun 20, 2024 at 10:08 AM Richard <rrosn...@gmail.com> wrote:
>
> The question with Linux isn't if there's a need to update to the latest
> version (of the distro) like on Windows, but rather what's keeping you from
> updating? If there's no urgent reason to stick to 11, update. 11 is now
> oldstable and will become oldoldstable mid next year. Thus, it currently
> becomes fewer updates - no idea how the situation is with security updates
> compared to stable. 10 reaches end of life in about a month or so. So that's
> the timetable you'll need to keep in mind. Of course, right now there isn't
> anything forcing you to update, you merely need to update within the next two
> years to keep getting updates. But chances are very low with more
> conservative distros like Debian that upgrading will have more drawbacks than
> benefits. Of course it can always be a smart choice to wait for the first one
> or two dot releases, as they will fix issues previously unnoticed or where
> the fix wasn't ready on time. But that's all.
One additional data point to consider... there are folks who have
exploits written for vulnerabilities that the community does not know
about.
Generally speaking, the older the software, the more exploits are
available. Developers generally don't work on old versions of their
software. Instead, they fix some things, release a new version and
move on. The only chance to fix the vulnerability is move to a newer
version of the software by building it yourself or using the latest
distro release.
Folks who deal in vulnerabilities and exploits adore the old software
because nothing gets fixed, so their exploits continue to work on old
versions of software. As Greg Kroah-Hartman noted: [1]
We have a very bad history of keeping bugs alive for a long time.
Somebody did a check of it, most known bugs live for five years in
systems. These are things that people know and know how to exploit.
They’re not closed. That’s a problem in our infrastructure...
CVE tracking is not the answer because that assumes every exploitable
bug is tagged with a CVE. There are lots of bugs out there that are
not tracked with a CVE, yet are exploitable. See, for example, the
TTY1 layer bug discussed in [1]. It took over 3 years to figure out it
was exploitable and for the patches to be backported.
(I have first hand knowledge of how one firm operates. The firm sells
their exploits to Northrop Grumman Electronic Warfare Division.)
[1]
https://thenewstack.io/design-system-can-update-greg-kroah-hartman-linux-security/
Jeff
> Am Do., 20. Juni 2024 um 09:58 Uhr schrieb Jeff Peng <j...@tls-mail.com>:
>>
>> I am running a small mailserver with debian 11 for many years. It's
>> quite solid.
>> Though I have read this article:
>> https://www.cherryservers.com/blog/debian-12-bookworm-release
>> do you think there is any need for me to upgrade from 11 to 12?
>> just for the newer software like postfix, dovecot?
>>
>> Thanks.
