From owner-freebsd-questions@FreeBSD.ORG Sun Oct 15 21:08:56 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2081F16A417 for ; Sun, 15 Oct 2006 21:08:56 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (webmail.stovebolt.com [66.221.101.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9634F43D75 for ; Sun, 15 Oct 2006 21:08:49 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-69-141-242.dsl.rcsntx.swbell.net [65.69.141.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id 63C10114313 for ; Sun, 15 Oct 2006 16:09:56 -0500 (CDT) Date: Sun, 15 Oct 2006 16:08:39 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: In-Reply-To: <45329AB4.1000508@pixelhammer.com> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> <45329AB4.1000508@pixelhammer.com> X-Mailer: Mulberry/4.0.5 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========9168764B833293E07355==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: PHP new vulnarabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 21:08:56 -0000 --==========9168764B833293E07355========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On October 15, 2006 4:31:48 PM -0400 DAve =20 wrote: > > That is a bit extreme. I have a full workload, I put in about 60 hours a > week (I work a lot of weekends, I'm working now). I have servers running > all different version of apps. I can't go around upgrading everything at > the drop of a hat. I would be divorced within a month. > > If you read the security alerts carefully you will find many require a > shell (We don't offer them to clients), some require a specific app to > be running that you may not need (rm -f /usr/local/bin/vulnerable_app), > and sometimes a simple code audit will tell you if you are vulnerable. > It is also not uncommon that a security alert is issued for a problem > that has not be proven in the wild. > > There are plenty of reasons to not follow a security alert, many of them > quite valid. Upgrading mission critical systems without throughly > understanding the implications just because someone screamed SECURITY!, > now that is foolhardy. > That wasn't the situation here. Look, there are several possible scenarios where installing a vulnerable=20 app is less of a risk than not installing the app at all. Business=20 functionality *is* important. However, to arbitrarily say "Use=20 DISABLE_VULNERABILITIES" is the answer to an app that won't install is=20 always a wrong answer. *At a minimum* it should come with a warning of=20 the possible risks. Furthermore *upgrading* from a non-vulnerabile app to = a vulnerable app simply because "it's the latest" is foolhardy in the=20 extreme. I don't think my statement was any more extreme than "Just use=20 DISABLE_VULNERABILITIES and you can install the app" with no warning of=20 the risks. *Especially* when the app is as highly scrutinized as php is=20 (not to mention how vulnerabilities are being found in it all the time.) Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========9168764B833293E07355==========--