Problems with Updates

Derek Broughton news at
Tue Oct 28 23:48:44 UTC 2008

Mario Vukelic wrote:

> On Tue, 2008-10-28 at 21:52 +0000, Kennneth P. Turvey wrote:
>> I'm not sure it is on a laptop.  Losing productivity is more important to
>> avoid than the potential security threat in this case.
> Yeah, as discussed with Derek I see the point. However, the fact that it
> is a laptop maybe makes it even more vulnerable, since depending on your
> usage this laptop might frequently be on LANs that must be considered
> hostile.
> The meme that "the Ubuntu default install does not run daemons that
> listen to the outside" is not strictly true: it runs Avahi. "Avahi is a
> system which facilitates service discovery on a local network. This
> means that you can plug your laptop or computer into a network and
> instantly be able to view other people who you can chat with, find
> printers to print to or find files being shared" (

That's a sort of slightly-pink herring :-)  It facilitates _local_
discovery - since it operates on a 169.*.*.* subnet, it's not a
vulnerability that's directly exposed to the Internet, though I suppose it
could be infiltrated from another machine on the same LAN.
> It also runs dhcp 

That's not relevant to the cited "meme".  It doesn't run a DHCP server - it
runs clients that talk to the network.  Of course, there's no reason that a
badly designed client couldn't be compromised by a malevolent DHCP server
taking advantage of buffer overrun :-)  So I think what you really mean is
not that it's not true that "Ubuntu ... does not run daemons that listen to
the outside" but that vulnerabilities _can_ exist in _any_ program that
talks to the Internet - whether it's a server or a client.

> I don't know about you, but I'd find an unpatched known remote hole in
> my kernel or avahi not tolerable.

I'm about ready to kick avahi again.  I find the whole concept of avahi
not-tolerable, and the only reason I still have it is that it has amazingly
deep hooks...
> If you do disable updates you should at least subscribe to
> ubuntu-security-announce and read what alerts come up:
> I'd recommend not to disable upgrades but apply them selectively. The
> Update Manager or your favorite command line frontend to APT let you do
> this.

I second that.

More information about the ubuntu-users mailing list