begin Patrick Hsieh quotation: > > If the fixed packages of woody take a couple of days before dropping > into the official woody archive. Then my woody system will become > vulnerable in this period. I am kinda paranoid in this way?
Your system doesn't "become vulnerable" the minute a patch is created for a vulnerability. Your system is vulnerable from the moment the package with the bug is installed. When you become aware of a vulnerability, take steps to temporarily correct the problem yourself. If you can, do without that service until it's fixed. Use tcp wrappers or firewalling to control access to it, or completely block it and use ssh tunnels to access it. If you can't do any of those, go get the fixed version from the author's web site, and install it manually. If you do this carefully you can easily back it out when a Debian package is available. This is especially easy if the author provides .debs. Or switch to a different package that serves the same purpose. For example, Debian offers several different ftp daemons. If your favorite has a vulnerability, and you just HAVE to use ftp, then you can switch to a different one for a while, or even forever. (Or, better yet, take advantage of this opportunity to stop using ftp.) -- Join the Sergio Brandano Fan Club: http://lists.debian.org/debian-user/1999/debian-user-199910/msg00981.html
pgpdbKbM97iey.pgp
Description: PGP signature
