Re: Procedure for handling actively exploited security bugs with patches?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Feb 9, 2008 12:11 PM, Lubomir Kundrak <lkundrak@xxxxxxxxxx> wrote:
> Hi,
>
> On Fri, 2008-02-08 at 21:16 -0800, Bryan O'Sullivan wrote:
> > A bug in a piece of widely used PHP-based software was announced a few
> > days ago, and it's now being actively exploited by spammers:
> >
> > http://wordpress.org/development/2008/02/wordpress-233/
> >
> > Affected machines include my server, which is running F-8.  Eep.
>
> Pardon me -- my point of view is by using wordpress you voluntary agree
> to get exploited, and no wordpress vulnerability is ever to be
> considered as having priority higher than low.
>
...

>
> Please note that responsible configuration in most cases implies no
> WordPress. Don't get me wrong please -- look at its security track.
>
> PS: Note we may be on during weekends too anyways -- as I am now.
> Remember we fixed a security issue on Christmas Eve.
>
> Thanks,
> --
> Lubomir Kundrak (Red Hat Security Response Team)
>

Wow I would say the same thing about the kernel. I mean look at its
track record.. over the last 6 months and many years there have been
tons of security updates for it. Are there any packages that don't hit
that litmus check (other than maybe DJB software)?

People use the tools that are useful for them. The job of a security
professional is to help them make better choices. In some cases that
is making the tool better, in other cases it is finding them a better
tool to work with. Commenting about how one feels a software choice
was poor when that person is dealing with a crisis, does not help the
person affected at all, and gives in this case Red Hat, Fedora, and
other security professionals a bad name.


-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux