Greetings, Am Mittwoch, 18. Februar 2004 21:31 schrieb Otavio Salvador: > Florian Weimer <[EMAIL PROTECTED]> writes: > > Jan Lühr wrote: > >> Does this mean, that a well known exploit was kept back for nearly three > >> weeks, just because some odd vendors were unable to build there kernels > >> in time? > > > > Yes, this is the norm. Debian hides security bugs from its users for > > extended periods of time. > > Yes but this have a reason. Before upload a fix this need be available > in all supported archs and tested since major or users install it > trusting Debian Security Team and 'cause of this, should not fail ;-)
Well, of course you might have quite good reasons for doing so, but for me, this is quite a good reason for changing the distri or os. Hiding unfixed holes is one thing (and I appreciate that partly) but hiding already fixed packages is quite astonishing and you cannot tell me you need more than two weeks to test a simple correction. May I ask you what local / remote root exploit-fixes are you holding back currently? Should I switch of my sshd for the next few days or does the current bash have an unfixed local root exploit? This is exactly the same policy M$ have - but the point is, you could at least inform your users. An unknown local root exploit was one of the key parts in the debian server compromise and we have all seen the consequences. Surely, you can see, that I want to keep this risk as small as possible on my servers. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
