Subject: Re: Security/package update release frequency
From: Paul Schinder (schinder@pobox.com)
Date: Tue Jul 25 2000 - 18:22:04 MDT
At 2:30 PM -0400 7/25/00, Kevin M. Myer wrote:
>Hi,
>
>I was wondering if anyone could comment on the apparent lack of
>security/package updates for the Champion Server 1.2 release. The last
>released update I can find was the etcskel package, dated May 7, 2000.
>In the meantime, a serious bug has been exposed in the Linux kernel (all
>versions <= 2.2.15), there have been theoretically exploitable NFS holes,
>the ability to eavesdrop of EMACS process communication by non priveleged
>users, etc. I am just wondering why Yellowdog has ceased to release
>updates? Is the release and development of Gone Home more important than
>the ongoing security of a distribution? Is the staff overworked and
>security falls by the wayside? Are we witnessing security through
>obscurity being played out, since the percentage of vulnerable x86
>machines is higher than the percentage of vulnerable PPC machines, simply
>because there are that many more x86 machines and shell code is a dime a
>dozen for that architecture?
I was wondering the same thing. Neither YDL or LinuxPPC has issued
fixes for the various problems that have arisen in the past few
months. And the nfs-utils exploit that showed up on BUGTRAQ was for
PPC (although it was disabled).
>
>Just wondering - I keep checking for updates and see none and am wondering
>why that is the case.
I've been grabbing the source rpms from RedHat (or once the source
from Debian) and compiling them. So far that's worked well. They've
been prompt in getting fixes out.
>
>Kevin
>
>--
>Kevin M. Myer
>Systems Administrator
>Lancaster-Lebanon Intermediate Unit 13
>(717)-560-6140
-- -- Paul Schinder schinder@pobox.com
This archive was generated by hypermail 2a24 : Tue Jul 25 2000 - 18:25:53 MDT