Paul Schmehl wrote:
--On October 15, 2006 7:49:55 PM +0200 Thomas <[EMAIL PROTECTED]>
No offense, but anybody who *deliberately* installs a vulnerable version
of php in *today's* world, is an absolute fool. Some of us are *stuck*
with the vulnerable version, because we installed before the
vulnerability was found. We can't go back because previous versions are
Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
make -DDISABLE_VULNERABILITIES install clean
It will ignore the vuxml entry.
But *deliberately* installing it when you *know* it's vulnerable - and
one of the most attacked applications on the internet? Foolhardy
doesn't quite grasp the insanity of that.
That is a bit extreme. I have a full workload, I put in about 60 hours a
week (I work a lot of weekends, I'm working now). I have servers running
all different version of apps. I can't go around upgrading everything at
the drop of a hat. I would be divorced within a month.
If you read the security alerts carefully you will find many require a
shell (We don't offer them to clients), some require a specific app to
be running that you may not need (rm -f /usr/local/bin/vulnerable_app),
and sometimes a simple code audit will tell you if you are vulnerable.
It is also not uncommon that a security alert is issued for a problem
that has not be proven in the wild.
There are plenty of reasons to not follow a security alert, many of them
quite valid. Upgrading mission critical systems without throughly
understanding the implications just because someone screamed SECURITY!,
now that is foolhardy.
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Maybe they forgot who made that choice possible.
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"