I did subscribe to the Mandrake security announcement list, but I never
get anything from it. Whats up with that?
--
Mark
"If you don't share your concepts and ideals, they end up being worthless,"
"Sharing is what makes them powerful."
Linus Torvalds
On Thu, 18 Jan 2001, Vincent Danen wrote:
> On Thu Jan 18, 2001 at 09:59:15AM -0800, Dave Sherman wrote:
>
> > Since Mandrake is Redhat based, I would assume that we ARE vulnerable to
> > the same attack, until and unless Mandrake publicly says otherwise.
> > Hopefully Mandrake will announce something, one way or the other, soon.
>
> Not true. While I haven't seen the worm itself to know for certain
> one way or the other, I've been told it specifically targets RH 6.2
> and 7.0 machines. This would leave other distributions alone.
> *However*, since I wouldn't ask anyone to rely on that and/or use it
> as an excuse, the simple response (for any distribution) is simple:
>
> 1) Subscribe to vendor security mailing lists. Announcement lists of
> a security nature are generally small bandwidth with infrequent
> posts.
>
> 2) Update update update!!! If an update is released, it's for *your*
> health, not ours. We don't do this kind of work for fun (I know
> I'd rather spend my time doing other things than back-porting fixes
> to 6.0!). There is a reason why security updates are released.
>
> In other words, all versions of Linux-Mandrake 6.0 to present *with
> appropriate security updates applied* are not vulnerable.
>
> I posted previously the relevant web pages that indicate the
> vulnerabilities this worm takes advantage of have been fixed last year.
>
>