On Wed, Nov 06, 2019 at 08:09:55AM +0000, 
apcoeproductnotificati...@wellsfargo.com wrote:
> Hi Rob/Thomas,
> Good day!!
> 
> Thanks for the update, so as per the link the current patch is 2.0.8 released
> on 23-10-2019, request you to please confirm whether this patch is also a
> security patch and fixing any vulnerability (please provide CVE if available)
> or not as it has one major bug fix in the release notes.

Well, it was marked security since considered as such by the reporter
eventhough it requires you to use a vulnerable server and to purposely
write a bogus configuration, so my personal opinion on it is that it's
very minor compared to all the issues we fix on a daily basis.

In addition, please note that ALL FIXES ARE IMPORTANT and that if you're
trying to only pick fixes explicitly marked as security, you'll end up
with the most bogus load balancer on earth, and you'd rather not do this
at all if you care for your site's availability.

Focusing on CVEs only is part of what Linus Torvalds calls the "security
circus" and I fully agree with him on that, considering how harmful most
bugs can be for production and which are dropped by people focusing on CVE
only and who instead pick irrelevant stuff because these have a "security"
sticker. Also please have a look at this presentation by GregKH explaining
the ridiculous situation we've reached with CVE nowadays:

    https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/

In short if you're wondering what patch to pick, you WILL eventually
cause some disaster on your production that only YOU will be responsible
for, by having deliberately rejected important fixes. You'd rather rely
on up-to-date releases, either from sources if you build yourself, or
from distro maintainers if you prefer to use pre-built packages. The
project maintainers devote a lot of time maintaining stable branches
containing only fixes precisely so that nobody has to duplicate this
boring and dangerous job.

Note that if you fear regressions, it's normal. Nobody likes to face
them. In this case, just wait one week or even one month for others to
deploy a new version before you do so, and you'll know if you're taking
any risk. Everyone does this depending on the criticity. What is certain
is that by not updating you're taking the risk to hit any of the hundreds
of bugs that are known and fixed upstream.

Willy

Reply via email to