Agathoklis D. Hatzimanikas wrote: > On Mon, Apr 27, at 02:52 Bruce Dubbs wrote: >> Mike McCarty wrote: >>
[...] >>> >>> I was hoping to get more information about how to evaluate my exposure. >> Look at the source of the patch. The header says that the changes are from >> upstream. They will be in future versions of the code. To evaluate the >> vulnerability, the header says it fixes CVE-2009-1185 and CVE-2009-1186. >> Google >> that and you can read all about it. > > This is pretty serious. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1185 > http://c-skills.blogspot.com/2009/04/udev-trickery-cve-2009-1185-and-cve.html > http://xorl.wordpress.com/2009/04/17/cve-2009-1185-linux-udev-path-encoding/ I'll look into that. Thanks! > > And for Mike, > > LFS is actually teaching administration, so it has the obligation and > the duty to teach the user to follow religiously the recommendations as > far it concerns security problems; in fact I would like to use the > *preach* expression instead of teach, to emphasize how the administrator > should take seriously the security domain. Umm, while I agree in principle with taking things like this seriously, an important part of administration is knowing not only what vulnerabilities there are, but what one's own exposure may be. So, simply issuing serious warnings and recommending all to upgrade doesn't give the full story. > So while the individual can choose, by looking to the security reports, > not to fix the vulnerabilities in her machine, in LFS we have *no* other > choice than to report them and publish fixes (if available), no matter how > critical they are. We are talking here about practices. No argument here about publishing, and I appreciate it. I'm not convinced that best practice is always to accept security updates immediately, or even ever (necessarily). I've seen security updates retracted. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
