On Fri, Oct 13, 2006 at 04:29:08PM -0400, Jeffrey Hutzelman wrote: > On Friday, October 13, 2006 09:18:24 PM +0200 Axel Thimm > <[EMAIL PROTECTED]> wrote: > > >But please do simply upgrade your kernel package. It is important for > >the security of your system and will also enable you to start with > >existing binary packages. > > You keep saying this, as if anyone who is running a kernel released earlier > than yesterday must be a fool and unworthy of assistance.
(Let me start by commenting that I consider your reply as a bit
unnecessary polemic, but won't bite)
I'm neither implying anyone's a fool, nor promoting non-security
related upgrades and certainly not considering anyone "unworthy of
assistance".
o The kernel that has been references is older than half a year and
had *6* security updates since (and many more non-security updates)
060419 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2096_FC5
060503 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2107_FC5
060521 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2122_FC5
060611 [SECURITY] Fedora Core 5 Update: kernel-2.6.16-1.2133_FC5
060705 [SECURITY] Fedora Core 5 Update: kernel-2.6.17-1.2145_FC5
060714 [SECURITY] Fedora Core 5 Update: kernel-2.6.17-1.2157_FC5
> But many of us on this list run large computing environments, not
> one-off machines, and releasing new software in such an environment
> can take a long time.
o If you want to run Fedora Core, you need to keep up with the pace of
it. If you cannot there are RHEL and clones and other enterprise
grade Linuxes/Unices that have a much slower upgrade pace fitted to
your environment. Allowing security vulnerabilities to creep into a
large environment by design (e.g. by chosing a platform that you
cannot maintain as the vendor requires you to) should be
revised. Many such environments are using CentOS or Scientific
Linux, you should really follow that route.
o Not updating a system for any reason only makes sense in a properly
firewalled environment not offering any exposure to the net. But
openafs is about (non-local) networking, so especially for openafs
you should harden your systems even more. Keeping the kernel free of
known security vulenrabilities is an essential part of it.
o "unworthy of assistance": I have explained how to rebuild the kmdl
for any kernel, but strongly recommended to upgrade the kernel
first. What part of it is misunderstood as "unworthy of
assistance"???
I also consider this advice and this very mail as assistance. If it
makes a couple more people aware of the issues associated with
running outdated kernels and other system parts on the net and they
fix their security vulnerabilities then it will have been a very
good assisance to them.
--
Axel.Thimm at ATrpms.net
pgpBWFt9T9AQw.pgp
Description: PGP signature
