Subject: Re: Not really an advocacy :-(
To: None <>
From: None <>
List: tech-security
Date: 06/21/2002 18:51:22
* <> [020621 18:18]:
> > You could use pkg_add and be done with it almost as quick. In fact, if you
> > trusted it enough, you could something via cron too.
> No way.
> Now I found out that the update is in
> .but patches/ is dated 06/21/02  06:17:00
> Is that the spirit of NetBSD that for day-to-day operation you should not need
> to play with -current tree? <> I thought that it
> was Linux mantra to live "permanently under development." Unfortunately, the
> image is different: while they released patches to formal releases, I am forced
> to go to current tree...

pkgsrc is always current? 
The fixed version was there yesterdaymorning (on my mirror at least).
I remember asking itojun about patching it, and at that time (tuesday?)
there was no fix from the Apache group - did the Penguinistas write their own 
patch or something, or was it the ISS one (which didn't close the hole)?

Personally I'm quite glad nobody shouted too loud about it,
because there was no fix, so announcing to the world there was a root
exploit wouldn't have helped anyone but the k1dd135...

audit-packages flagged it quickly - check your crontab is downloading
a fresh vulnerabilities list, because that should have notified you.

I didn't know Debian boxes updated themseleves automatically,
and personally I don't like the sound of that, but I guess it's
a matter of choice.

Rasputin :: Jack of All Trades - Master of Nuns