On Tue, Oct 23, 2001 at 01:19:58PM +0200, Philipp Schulte wrote: > On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: > > > Just as you automate everything you can, in the name of laziness, you can > > wait until stuff falls into your lap instead of going out and fixing it > > yourself, if the problem is not at all likely to lead to any real problems > > for your system. > > And where is the relation to "security"?
If there is no real security risk to your system (e.g. you weren't using the feature that the problem is in), then you can wait for the security team to handle it and upload a new package. If you have multiple layers of defence, and the vulnerability only takes out one of them, then you can wait a while instead of fixing it yourself. (e.g. with this ssh vuln., you would only be at real risk if attackers actually had the necessary keys, but not access to an IP that you allowed logins from. If you were pretty sure that nobody had stolen your keys, you wouldn't really have to worry about the vuln.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
