Hi Willy,

Thanks for the info but honestly I am not focusing only on security fix, I need 
confirmation whether 2.0.8 is security patch or discretionary patch so that I 
can work on it accordingly  on the basis of patch type.


-----Original Message-----
From: Willy Tarreau <w...@1wt.eu> 
Sent: Wednesday, November 6, 2019 2:15 PM
To: APCoE Product Notifications <apcoeproductnotificati...@wellsfargo.com>
Cc: xro...@gmail.com; haproxy@formilux.org; Na, Anurag 
Subject: Re: Product Info

On Wed, Nov 06, 2019 at 08:09:55AM +0000, 
apcoeproductnotificati...@wellsfargo.com wrote:
> Hi Rob/Thomas,
> Good day!!
> Thanks for the update, so as per the link the current patch is 2.0.8 
> released on 23-10-2019, request you to please confirm whether this 
> patch is also a security patch and fixing any vulnerability (please 
> provide CVE if available) or not as it has one major bug fix in the release 
> notes.

Well, it was marked security since considered as such by the reporter 
eventhough it requires you to use a vulnerable server and to purposely write a 
bogus configuration, so my personal opinion on it is that it's very minor 
compared to all the issues we fix on a daily basis.

In addition, please note that ALL FIXES ARE IMPORTANT and that if you're trying 
to only pick fixes explicitly marked as security, you'll end up with the most 
bogus load balancer on earth, and you'd rather not do this at all if you care 
for your site's availability.

Focusing on CVEs only is part of what Linus Torvalds calls the "security 
circus" and I fully agree with him on that, considering how harmful most bugs 
can be for production and which are dropped by people focusing on CVE only and 
who instead pick irrelevant stuff because these have a "security"
sticker. Also please have a look at this presentation by GregKH explaining the 
ridiculous situation we've reached with CVE nowadays:


In short if you're wondering what patch to pick, you WILL eventually cause some 
disaster on your production that only YOU will be responsible for, by having 
deliberately rejected important fixes. You'd rather rely on up-to-date 
releases, either from sources if you build yourself, or from distro maintainers 
if you prefer to use pre-built packages. The project maintainers devote a lot 
of time maintaining stable branches containing only fixes precisely so that 
nobody has to duplicate this boring and dangerous job.

Note that if you fear regressions, it's normal. Nobody likes to face them. In 
this case, just wait one week or even one month for others to deploy a new 
version before you do so, and you'll know if you're taking any risk. Everyone 
does this depending on the criticity. What is certain is that by not updating 
you're taking the risk to hit any of the hundreds of bugs that are known and 
fixed upstream.


Reply via email to