Hallo guys,
one year ago I installed Slackware 9.1 on the computer of my friend
Sara. Shwe has never been connected to the web, so she didn't carte
about security updates. Now she is going to have an ADSL permanent
connection and I told her she should fix vulnerabilities on the software
she installed. So we took a look at the Changelog of Slackware 9.1 and
we found there have been a lot of updates. We updated her system and
wverithing is working perfectly.
Our questions are:
1) since we are going towards the the 11.0 release, how long will 9.1 be
manteined(security updates)? (we haven't found the answer on slack site)
2) does Pat at the moment propose *only* critycal(grave) security
updates for old systems?
For example my friend is still using the old mozilla of Slack 9.1, but a
lot of things changed since slack 9.1 has been released; so I think
there could be security bugs(hope not grave) in her mozilla and in many
other programs as well.
In this case I would suggest her to upgrade to 10.1.
Am I wrong?
ciao

--
Toyotoshy, Linux user #312588
Powered by Linux 2.6.8 and FreeBSD 4.10!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, Toyotoshy dared to utter,
> 1) since we are going towards the the 11.0 release, how long will 9.1 be
> manteined(security updates)? (we haven't found the answer on slack site)

At this time Pat has been regrettably lax in putting out any security
updates for the longest time. You can find additional fixes via
anonymous ftp access from SlackSec and GUS-Br (two third-party groups
who have put out _some_ fixes) at:

ftp://ftp.scarlet.be/pub/

As for how long it will continue to be maintained, I cannot tell you. I
do know there is an issue with XFree86 that I haven't patched because
of the changes the XFree86 team made to their licensing terms. I didn't
want to get SlackSec muddled down in that debate. If you want my honest
guess, any sort of desktop vulnerability isn't going to get patched in
9.1, but if a prominant service like samba or apache has a known
vulnerability that _will_ be patched because of the number of old 9.1
machines out there still running public services.

> 2) does Pat at the moment propose *only* critycal(grave) security
> updates for old systems?

For the most part yes. A lot of things that just aren't security
vulnerabilities are labelled as such (for example, the "terrible" DOS
bug that affected gaim, whoop-tee-do). In practice, if she runs a
decent firewall on her machine she should be ok. If you're not familiar
with iptables, I can recommened MonMotha's iptables firewall script as
a good customizable ruleset.

> For example my friend is still using the old mozilla of Slack 9.1, but a
> lot of things changed since slack 9.1 has been released; so I think
> there could be security bugs(hope not grave) in her mozilla and in many
> other programs as well.

That's true, but IME attacks against linux desktop users just don't
appear in the wild.

> In this case I would suggest her to upgrade to 10.1.

Can't go wrong there. 10.1 is the most secure version ATM, and is
likely to be the one most of the updates that SlackSec puts out in the
near future will go against.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMGn9vgVcFKpJf4gRAoARAJ9cFfrcTGhYDxtUCBYtej wL5r12YQCgxnoD
Ev0rJI5BDUeFk7YO6Ye6Z+0=
=50il
-----END PGP SIGNATURE-----

Dear Alan,
thanks for your opinion and for the link.
I've configured her iptables.
I think I'm going to convince her to move towards 10.1.
Thanks

--
Toyotoshy, Linux user #312588
Powered by Linux 2.6.8 and FreeBSD 4.10!

"+Alan Hicks+" typed:
> Toyotoshy dared to utter:
>> For example my friend is still using the old mozilla of Slack 9.1,
>> but a lot of things changed since slack 9.1 has been released; so I
>> think there could be security bugs(hope not grave) in her mozilla
>> and in many other programs as well.
>
> That's true, but IME attacks against linux desktop users just don't
> appear in the wild.

In fact, recent "Know Your Enemy Trend[0]" papers show that the life
expectancy of a GNU/Linux box has increased considerably compared to
that of a Windows systems.

Note:
[0] (http://www.honeynet.org.pk/)

--
Ayaz Ahmed Khan http://fast-ce.org/

"Some people cause happiness wherever they go; others, whenever
they go."