Thread: Security and old slackware release
View Single Post

   
  #2 (permalink)  
Old 02-20-2008, 06:49 AM
+Alan Hicks+
 
Posts: n/a
Default Re: Security and old slackware release
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, Toyotoshy dared to utter,
> 1) since we are going towards the the 11.0 release, how long will 9.1 be
> manteined(security updates)? (we haven't found the answer on slack site)

At this time Pat has been regrettably lax in putting out any security
updates for the longest time. You can find additional fixes via
anonymous ftp access from SlackSec and GUS-Br (two third-party groups
who have put out _some_ fixes) at:

ftp://ftp.scarlet.be/pub/

As for how long it will continue to be maintained, I cannot tell you. I
do know there is an issue with XFree86 that I haven't patched because
of the changes the XFree86 team made to their licensing terms. I didn't
want to get SlackSec muddled down in that debate. If you want my honest
guess, any sort of desktop vulnerability isn't going to get patched in
9.1, but if a prominant service like samba or apache has a known
vulnerability that _will_ be patched because of the number of old 9.1
machines out there still running public services.

> 2) does Pat at the moment propose *only* critycal(grave) security
> updates for old systems?

For the most part yes. A lot of things that just aren't security
vulnerabilities are labelled as such (for example, the "terrible" DOS
bug that affected gaim, whoop-tee-do). In practice, if she runs a
decent firewall on her machine she should be ok. If you're not familiar
with iptables, I can recommened MonMotha's iptables firewall script as
a good customizable ruleset.

> For example my friend is still using the old mozilla of Slack 9.1, but a
> lot of things changed since slack 9.1 has been released; so I think
> there could be security bugs(hope not grave) in her mozilla and in many
> other programs as well.

That's true, but IME attacks against linux desktop users just don't
appear in the wild.

> In this case I would suggest her to upgrade to 10.1.

Can't go wrong there. 10.1 is the most secure version ATM, and is
likely to be the one most of the updates that SlackSec puts out in the
near future will go against.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMGn9vgVcFKpJf4gRAoARAJ9cFfrcTGhYDxtUCBYtej wL5r12YQCgxnoD
Ev0rJI5BDUeFk7YO6Ye6Z+0=
=50il
-----END PGP SIGNATURE-----
Reply With Quote