This is another case where a change was made. If the change had not been made (implement the new kernel) then the vulnerability would not have been introduced.
The more examples people think they find, the more it proves my proposition. Vulnerabilities can only be introduced or removed through change. If there is no change, then the vulnerability profile is fixed. >-----Original Message----- >From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of >valdis.kletni...@vt.edu >Sent: Saturday, 27 September, 2014 22:47 >To: Jay Ashworth >Cc: NANOG >Subject: Re: update > >On Sat, 27 Sep 2014 21:10:28 -0400, Jay Ashworth said: > >> I haven't an example case, but it is theoretically possible. > >The sendmail setuid bug, where it failed to check the return code >because it was *never* possible for setuid from root to non-root to >fail... >... until the Linux kernel grew new features.
