<br><br><div class="gmail_quote">On Wed, Mar 11, 2009 at 1:52 PM, Greg Knaddison <span dir="ltr"><<a href="mailto:greg.knaddison@gmail.com">greg.knaddison@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Wed, Mar 11, 2009 at 11:43 AM, Christian Pearce<br>
<<a href="mailto:christian@pearcec.com">christian@pearcec.com</a>> wrote:<br>
> <a href="http://openflows.com/drupal/security" target="_blank">http://openflows.com/drupal/security</a><br>
<br>
</div>Which is awesome for backports, but at least to this point I don't<br>
think there has been coordination for vulnerabilities that only exist<br>
in unsupported releases.<br>
<br>
Consider:<br>
A researcher finds security hole in an old, unsupported version of<br>
core. They either don't report it (why bother on EOL'd software) in<br>
which case the communication ends OR<br>
do report it to the security team in which case the security team<br>
thanks them for the research and reminds them that the version is<br>
unsupported at which point the communication ends.<br>
<br>
And now people on EOL software are running it without a fix for a<br>
somewhat known vulnerability.<br>
<br>
Regardless of where the end of communication comes....the result<br>
remains the same. Running EOL'd software is a stopgap measure and<br>
should not be promoted.<br>
</blockquote><div><br>Sure I have considered that. You make sound as if you are running the currently supported versions you will never be vulnerable. Which simply isn't true, a black hat can find insecure code and keep it secret. Those risks always exist. And you have to safe guard yourself the same way regardless of the version.<br>
<br>Yea and running EOL software is a stopgap. And you should plan to upgrade. But in reality that isn't always possible in the timeframe given. <br></div><div> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Greg<br>
<font color="#888888"><br>
--<br>
Greg Knaddison<br>
<a href="http://knaddison.com" target="_blank">http://knaddison.com</a> | 303-800-5623 | <a href="http://growingventuresolutions.com" target="_blank">http://growingventuresolutions.com</a><br>
</font><div><div></div><div class="h5">_______________________________________________<br>
consulting mailing list<br>
<a href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
<a href="http://lists.drupal.org/mailman/listinfo/consulting" target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Christian<br>