Anders Johansson wrote:
I think both you and Ben were missing my point by about a mile. We had two users, one even said that he saw the security notice. And yet he continued to run a version that he *knew* had a remotely exploitable vulnerability in it. And others too. And they just kept trying and trying because even though they had read the security alert "there's no other version to try"
With attitudes like that we're *very* close to "hey, an attachment, cool, let's click it and see what happens"
Actually the problem is the same chronic one that has long plagued the efforts of Linux to penetrate the non-geek world, poor docs. When the security notice was posted one of two things should have been included, either a pointer to the new sub-versions of Gaim 0.67 and 0.75 (e.g. 0.67a, 0.75a, or whatever the appropriate version number sequence that would be appropriate) that included the fix OR specific instructions that versions of Gaim with the same version number (really dumb) may or may not contain the security fixes and what date-range to look for (and hopefully get one that really contains the security fix). Absent those instructions it is folly to presume that the majority of non-geek SuSE users would know what to do, especially if they had updated to 0.75 due to the Yahoo failure of 0.67. Also, since SuSE was issuing online a replacement version of Gaim 0.67 why not post the 0.75 upgrade with security fix versus wasting time on the outdated v. 0.67? (Who wouldn't update while they were running the security update?) IMHO, YMMV ... dmc