Once upon a time, Reindl Harald <h.reindl(a)thelounge.net> said:
Am 07.01.2012 06:35, schrieb Digimer:
> If you have a "security expert" who can't grasp the concept of
> back-ported bug fixes, and is unwilling to test for specific
> vulnerabilities' existence, it's time to get a new expert.
you are missing the point A BIG CUSTOMER has a security-expert
Well, a big customer has a so-called or self-proclaimed security expert.
That is your opportunity to educate the customer and possibly gain some
security business for yourself.
Do you actually use Fedora for security-conscious big-buisness
customers? I use RHEL, and if they question versions from some external
scan, I quote Red Hat's backport policy. Any sane scan will reference
CVEs, and fixed CVEs are listed in the RPM changelogs (so I can quote
those to show security).
If you filter out versions, you're liable to get a security "report"
that lists every vulnerability in Apache, OpenSSH, sendmail/postfix/etc.
If you manage to filter out program names (not always possible), you'll
get a list of every CVE referencing the service listening on a port
("port 53 looks like it is running a DNS server; here's a list of things
that might be wrong").
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.