Andy Smith <andy@???> said, in message
20161214124152.GU21587@???:
>
> …perhaps I could have a bit of feedback from you as to whether we
> did the right thing in enforcing a reboot here.
>
> Discussion around the bug (unfortunately on a private list for
> discussion of the security bugs while they're under embargo, so I
> can't show you) indicated that it *probably* wasn't very dangerous.
Short (advertised) outages on my VM aren't that much of a problem, so I'm
pretty relaxed about the reboots.
IMHO...
The thing about security holes like this is that creative hackers have a
tendency to leverage them into much bigger things later. Reacting to the bug
while it's under embargo, even if it seems obscure, is probably the best
thing to do, rather than leaving it until someone finds a way of using
it to do something much scarier. At which point the 2 weeks' notice
might turn into 0 days.
Cheers,
Alun.
--
Dr. Alun Jones, auj@???, 01970 622637
Mathemateg, Ffiseg a Chyfrifiadureg, Prifysgol Aberystwyth
Mathematics, Physics & Computer Science, Aberystwyth University
