On Sun, 20 May 2007 21:53:08 +1200 Jim Cheetham <[EMAIL PROTECTED]> wrote: [snip] > Basically, in the real world, "fast patching" is not a panacea. > > -jim
Sure, but I said that you need the ability to patch immediately if necessary, which does not mean indescriminately, or without your own examination, analysis or testing. Here's a good example... Today, debian released a fix for a fairly serious bug in php. > - -------------------------------------------------------------------------- > Debian Security Advisory DSA 1296-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > May 21st, 2007 http://www.debian.org/security/faq > - -------------------------------------------------------------------------- > > Package : php4 > Vulnerability : missing input sanitising > Problem-Type : remote > Debian-specific: no > CVE ID : CVE-2007-2509 > > It was discovered that the ftp extension of PHP, a server-side, > HTML-embedded scripting language performs insufficient input sanitising, > which permits an attacker to execute arbitrary FTP commands. This > requires the attacker to already have access to the FTP server. But, going to the release notes for php 4.4.7... > Version 4.4.7 > 03-May-2007 > > snip... > * Fixed CRLF injection inside ftp_putcmd(). So you have lost up to 18 days protection from a known security breach by relying on the debian fix. I'm sticking with source code (: Steve
