Edgy down?

Mario Vukelic mario.vukelic at dantian.org
Thu Jun 5 13:26:57 UTC 2008 

On Thu, 2008-06-05 at 09:53 -0300, Derek Broughton wrote:
> yes?  Has there been a firefox exposure since Edgy stopped getting security
> updates?  

Doesn't matter. When using a Browser that does not get security updates,
you have to consider it vulnerable, unless you are constantly up-to-date
with Mozilla security announcements. For most users, this is not an
option. 

In the face of increased popularity, Linux distros in general and
Firefox as well can only keep their rather good security record by
maintaining good practices both by devs and by users, and running
unpatched browsers in 2008's internet is not one of them. Nor is
propagating such ideas.

> Do you think there will be a _real_ one (rather than just a
> potentiality) against the current Edgy version of FF in the next two years? 

The security implications of not getting fixes from Mozilla are serious
enough that they played a significant role in Ubuntu's decision to roll
out Hardy with FF3.

Anyway, this should be enough of a warning:
http://secunia.com/advisories/15292/

"Two vulnerabilities have been discovered in Firefox, which can be
exploited by malicious people to conduct cross-site scripting attacks
and compromise a user's system."

Plus, the recent Debian OpenSSH fiasco should be a reminder that
extremely serious issues can crop up totally unexpectedly.

> How many people who are still running Edgy on a non-server computer (so
> it's presumably over a year old already), will still have that computer in
> two years?  I believe the exposure is negligible. 

It's one thing to argue, as you do now, that people who miss the upgrade
have a good chance of surviving without being compromised for
considerable time. Yes, that's good to know.

It's a different thing, as you basically did by criticizing my
recommendation to upgrade, to actively advise people that they need not
bother with an upgrade and are fine running unpatched software. I think
not even certain other posters would recommend this ;)

>  Heck, I believe the
> exposure of a server is negligible, but obviously greater than that of a
> pure client.

This is utter madness. According to Secunia there were, e.g., 35
advisories for Apache 2 from 2003 to 2007, 83% of which dealing with
remote attack vectors, or 12% involving system access.
http://secunia.com/product/73/?task=statistics

More information about the ubuntu-users mailing list