I agree with you wholeheartedly. I run drakupdate every Monday
religiously, although I don't subscribe to the security list for
Mandrake. But I think I will now.
Dave
On Thursday 18 January 2001 10:59, you wrote:
> On Thu Jan 18, 2001 at 09:59:15AM -0800, Dave Sherman wrote:
> > Since Mandrake is Redhat based, I would assume that we ARE
> > vulnerable to the same attack, until and unless Mandrake publicly
> > says otherwise. Hopefully Mandrake will announce something, one way
> > or the other, soon.
>
> Not true. While I haven't seen the worm itself to know for certain
> one way or the other, I've been told it specifically targets RH 6.2
> and 7.0 machines. This would leave other distributions alone.
> *However*, since I wouldn't ask anyone to rely on that and/or use it
> as an excuse, the simple response (for any distribution) is simple:
>
> 1) Subscribe to vendor security mailing lists. Announcement lists of
> a security nature are generally small bandwidth with infrequent
> posts.
>
> 2) Update update update!!! If an update is released, it's for *your*
> health, not ours. We don't do this kind of work for fun (I know
> I'd rather spend my time doing other things than back-porting
> fixes to 6.0!). There is a reason why security updates are released.
>
> In other words, all versions of Linux-Mandrake 6.0 to present *with
> appropriate security updates applied* are not vulnerable.
>
> I posted previously the relevant web pages that indicate the
> vulnerabilities this worm takes advantage of have been fixed last
> year.
--
Quid quid latine dictum sit, altum viditur.