I'm quite disapointed with these "brand new" updates
which fix tmpwatch, syslog and traceroute security holes.
Why ?
I'll explain :
1- Theses holes have been discovered the 28 of September
2- The fix from redhat occured the 6 of october
3- The fix from cobalt occured the 14 of november
4- The official post about the fix occured the 16 of November...
So between the discovery and the first fix you can't do too much things,
that's quite normal.
But the delay between the fix from redhat and the fix from cobalt is
REALLY LONG : more than 1 month...
So hackers, when a hole occurs on systems which works on redhat (not
all parts but a lot), you should have fun on cobalt computers...
For at least one month !!!!
Hey, the next time I'll use the .rpm security fix if it takes you
one month to do a .pkg (what type of computer are you using
for making the patch ? a 8086 ???).
Really, I hate doing that, but if there is no change in the security
policy from cobalt, I'll swap for another brand more serious...
By the way, the patch for Bind (the DNS server) have just been released
the 12 of november.
Will we have to wait for one month for the security patch ???
On sytem updates I don't bother but on security updates I bother !!
Just for the curious, yes we had already script kiddies attempt to
brake our DNS, but fortunately, our DNS is on a redhat system
locally managed and finally tuned, so the patch and another protection
was already active... I don't want to think of a DNS running under
Cobalt !!!
(and what about pine, usermode and imap ???)
Ok guys, change you security policy, be more proactive ! We need
good stuff like the cobalt, but we don't want to be hacked each
hour of a day because of a lack of security patch !