Last week, I wrote about how Joshua Aaron's ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua's talk at HOPE where he made it clear that he isn't taking the advice
The example CVE linked in the article is plausible, though. The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software. Whether it would actually be exploitable is a different question.
Overall, I don’t get your point about stable releases and backports. Yes, security patches are backported, but that results in a new release (2.4.60 in this case) which still has to be updated to. It’s not like you can just stay on 2.4.57 and magically still have the fix, that’s just not how software versioning is done.
Distros may not update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.
It depends on the release process. I was also confused once I was asking myself why the repo was reporting a CVE as fixed when it still showed the old version.
The example CVE linked in the article is plausible, though. The server was reportedly running 2.4.57 and the CVE was fixed in 2.4.60, so it’s definitely present in the software. Whether it would actually be exploitable is a different question.
Overall, I don’t get your point about stable releases and backports. Yes, security patches are backported, but that results in a new release (2.4.60 in this case) which still has to be updated to. It’s not like you can just stay on 2.4.57 and magically still have the fix, that’s just not how software versioning is done.
Clearly. Hint: it’s what Enterprise Linux has done for 20 years.
Distros may not update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.
It depends on the release process. I was also confused once I was asking myself why the repo was reporting a CVE as fixed when it still showed the old version.