On 03/08/10 00:01, Jacopo Corbetta wrote:
I haven't read all the documents, but have these
researchers taken
into account backported fixes?
No. Their work mostly revolves around defeating version number
obfuscation by correlating various properties of the application with
the version number. They scanned the Internet to demostrate that their
method works, and presented the version number distribution in
passing. The security conclusions they drew from that distribution
were not particularly rigorous.
My gut feeling is that the "preference" for
1.12 is simply due to its
inclusion in Debian stable [1].
They mention seeing spikes in popularity for packaged versions.
The maintainer seems to be actively
backporting security fixes [2], so while I agree that these versions
may enjoy less community support, they should not be considered broken
on the basis of the version number alone.
It's true that backports reduce the problem somewhat. But note that
the Debian backports have probably not been reviewed to make sure that
they fix the bugs they claim to fix. Or indeed, that they don't create
new bugs that are even worse (as Kurt Roeckx did with his famous fix
for some spurious valgrind warnings in OpenSSL).
-- Tim Starling