A serious security bug... caused by no bounds checking.

Mon Apr 7 21:59:30 PDT 2014

On Tue, Apr 08, 2014 at 12:43:15AM -0400, Nick Sabalausky wrote:
> On 4/8/2014 12:15 AM, H. S. Teoh wrote:
> >
> >I learned the hard way to always keep on top of the security
> >upgrades. A year or two ago, I put off a pending upgrade for a week,
> >and the day before I finally got around to it, my server was hacked
> >via the same vulnerability that the upgrade would've fixed. They got
> >root, so I had to nuke the system from orbit after backing up my
> >data, and rebuild the server from scratch. :-( Ever since then, I've
> >set up the system to notify me as soon as an update is available, and
> >now I dare not delay to install it ASAP.
> >
> 
> Yea, that's a good idea.
> 
> Is that Arch? How does your querying for security updates work? Just
> querying for updates on security-related packages, or somehow
> filtering on whether a package's update is security-realted...or just
> a general "grab every update for everything"?

Actually, it's Debian/stable (which only gets security upgrades). I just
installed cron-apt and set it up to email me about upgrades.

In theory, if I were lazy, I'd set it up to just install all updates
automatically, but I do like to review exactly what gets installed
before installing it, since I did get bitten before by a careless
upgrade breaking existing software in a major way. (The worst instance
of this was when I unknowingly upgraded libc6 to a version that's
incompatible with the VPS kernel, causing the dynamic linker (and thus
*all* executables) to break. I had to resort to heavy-handed tactics[1]
to fix it.)

[1] Heavy-handed, as in: http://eusebeia.dyndns.org/bashcp

T

-- 
Жил-был король когда-то, при нём блоха жила.