Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
From: Kenneth R. van Wyk (ken_at_vanwyk.org)
Date: 10/21/03
- Previous message: Robert Ahnemann: "RE: [Full-Disclosure] No Subject (re: openssh exploit code?)"
- In reply to: Robert Ahnemann: "RE: [Full-Disclosure] No Subject (re: openssh exploit code?)"
- Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] No Subject (re: openssh exploit code?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com> Date: Tue, 21 Oct 2003 17:26:18 -0400
On Tuesday 21 October 2003 17:07, Robert Ahnemann wrote:
> I flip to the local radar and get some sort of proof that there might be
> a thunderstorm coming. Talk is cheap (as was said), so its up to the
> admin to verify if A) there is a real threat B) the threat applies to
> your systems C) the threat damage is worth the damage of 'unscheduled
> downtime'
FWIW, I agree that these are all reasonable steps to take in order to help
prioritize whether (exiting the analogy...) you should apply the patch to
YOUR systems. There's a couple other complicating factors that I haven't
seen mentioned in this thread, though -- apologies if I've overlooked them:
1) I've seen patches break applications. When applying a patch to a
production app server, it's a good career-stabilizing move to test the patch
to ensure that, if NOTHING else, the app still works once the patch is in
place.
2) Change management in some tightly controlled production data centers can be
extreme. This is particularly true for environments in which change
management has regulatory oversight -- such as in the pharmaceutical
industry, where servers have to be FDA certified (in the USA, at least).
That is, in some cases, even if you KNOW that the storm is coming and it is
highly likely to hit you, you cannot take the corrective action that you
think is called for. In cases like this, it may be prudent to look for other
workarounds to protect those production systems...
There's a lot of variables and complexity to the patch-and-chase process. If
were only so simple to run {windows update|apt-get upgrade|up2date|...} on
all of our systems, we would have figured it out by now. IMHO.
Cheers,
Ken van Wyk
http://www.krvw.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Robert Ahnemann: "RE: [Full-Disclosure] No Subject (re: openssh exploit code?)"
- In reply to: Robert Ahnemann: "RE: [Full-Disclosure] No Subject (re: openssh exploit code?)"
- Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] No Subject (re: openssh exploit code?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
