Last week, I wrote about how Joshua Aaron's ICEBlock app, which allows people to anonymously report ICE sightings within a 5-mile radius, is – unfortunately, and despite apparent good intentions – activism theater. This was based on Joshua's talk at HOPE where he made it clear that he isn't taking the advice
This security researcher is just wrong. The version of apache running is likely in a ‘stable’ release where critical CVEs are fixed by back-porting patches to the same older version of software. Also, if I’m reading correctly, the vulnerability he cites is dependent on malicious behavior of apps hosted behind the vulnerable server. His would likely not meet this criteria, so the vulnerability does not affect his use case.
It is the blogger, IMO, who is participating in ‘theater’. A little knowledge is a dangerous thing.
Well the interesting thing here is that you took the time to type that out while he just blocked the person trying to report a security vulnerability.
deleted by creator
Clearly. Hint: it’s what Enterprise Linux has done for 20 years.
Distros may not update software versions when backporting some things, meaning they add a suffix they control to the version e.g. 2.4.57-ubuntu1.2 whatever, but the version reported by the software itself might still be 2.4.57.
It depends on the release process. I was also confused once I was asking myself why the repo was reporting a CVE as fixed when it still showed the old version.
Wrong.