[kwlug-disc] Saltstackgeddon
Paul Nijjar
paul_nijjar at yahoo.ca
Wed May 6 16:24:29 EDT 2020
On Wed, May 06, 2020 at 03:47:56PM -0400, Chris Frey wrote:
> On Wed, May 06, 2020 at 02:34:51PM -0400, Paul Nijjar via kwlug-disc wrote:
> > What is almost most frustrating is that Ubuntu and Debian packages are
> > affected but there have been no official patches released.
>
> I just saw the Debian fix roll in today on the security mailing list.
> Ubuntu is probably not far behind.
That is good news, but that horse is out of the barn. The
vulnerability was announced April 23 and patched April 29. It was a
CVE level 10 vulnerability (I do not know what that means, exactly,
but it sounds bad). But we are only getting patches now? There was a
coordination problem here.
I cannot blame Debian (or maybe even Ubuntu) developers for not
responding in a timely manner, since Debian developers are not paid.
But I can feel grumpy that there is a big problem in the systems I am
depending on for security, and if I say that out loud the answer will
be "patch it yourself" or "I guess you shouldn't depend upon those
security systems, then".
- Paul
--
Events: https://feeds.off-topic.kwlug.org
Blog: http://pnijjar.freeshell.org
More information about the kwlug-disc
mailing list