Problems with Updates
Derek Broughton
news at pointerstop.ca
Tue Oct 28 23:48:44 UTC 2008
Mario Vukelic wrote:
> On Tue, 2008-10-28 at 21:52 +0000, Kennneth P. Turvey wrote:
>> I'm not sure it is on a laptop. Losing productivity is more important to
>> avoid than the potential security threat in this case.
>
> Yeah, as discussed with Derek I see the point. However, the fact that it
> is a laptop maybe makes it even more vulnerable, since depending on your
> usage this laptop might frequently be on LANs that must be considered
> hostile.
>
> The meme that "the Ubuntu default install does not run daemons that
> listen to the outside" is not strictly true: it runs Avahi. "Avahi is a
> system which facilitates service discovery on a local network. This
> means that you can plug your laptop or computer into a network and
> instantly be able to view other people who you can chat with, find
> printers to print to or find files being shared" (avahi.org)
That's a sort of slightly-pink herring :-) It facilitates _local_
discovery - since it operates on a 169.*.*.* subnet, it's not a
vulnerability that's directly exposed to the Internet, though I suppose it
could be infiltrated from another machine on the same LAN.
>
> It also runs dhcp
That's not relevant to the cited "meme". It doesn't run a DHCP server - it
runs clients that talk to the network. Of course, there's no reason that a
badly designed client couldn't be compromised by a malevolent DHCP server
taking advantage of buffer overrun :-) So I think what you really mean is
not that it's not true that "Ubuntu ... does not run daemons that listen to
the outside" but that vulnerabilities _can_ exist in _any_ program that
talks to the Internet - whether it's a server or a client.
> I don't know about you, but I'd find an unpatched known remote hole in
> my kernel or avahi not tolerable.
I'm about ready to kick avahi again. I find the whole concept of avahi
not-tolerable, and the only reason I still have it is that it has amazingly
deep hooks...
> If you do disable updates you should at least subscribe to
> ubuntu-security-announce and read what alerts come up:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
>
> I'd recommend not to disable upgrades but apply them selectively. The
> Update Manager or your favorite command line frontend to APT let you do
> this.
I second that.
--
derek
More information about the ubuntu-users
mailing list