On 03/08/10 00:01, Jacopo Corbetta wrote:
I haven't read all the documents, but have these researchers taken into account backported fixes?
No. Their work mostly revolves around defeating version number obfuscation by correlating various properties of the application with the version number. They scanned the Internet to demostrate that their method works, and presented the version number distribution in passing. The security conclusions they drew from that distribution were not particularly rigorous.
My gut feeling is that the "preference" for 1.12 is simply due to its inclusion in Debian stable [1].
They mention seeing spikes in popularity for packaged versions.
The maintainer seems to be actively backporting security fixes [2], so while I agree that these versions may enjoy less community support, they should not be considered broken on the basis of the version number alone.
It's true that backports reduce the problem somewhat. But note that the Debian backports have probably not been reviewed to make sure that they fix the bugs they claim to fix. Or indeed, that they don't create new bugs that are even worse (as Kurt Roeckx did with his famous fix for some spurious valgrind warnings in OpenSSL).
-- Tim Starling