[ale] Redhats package naming convention

Chris Ricker kaboom at gatech.edu
Tue Sep 17 11:10:19 EDT 2002


On Tue, 17 Sep 2002, Billy Quinn wrote:

> All,
> 
> I've downloaded openssl-0.9.6b-28 from redhat.com , which is their latest
> release of openssl. I'm trying to verify this fixes all of the exploits from
> the apache worm(" CERT Advisory CA-2002-27 Apache/mod_ssl Worm ")
>  with regard to openssl exploits. I'm nearly sure it does , because the
> exploit for the worm seems to have been fixed in the release of the
> openssl-0.9.6b-24 release.
> 
> I guess my question is , the number after 0.9.6b seems to be a build number
> - Redhat do not seem to change the version ( in the case the 0.9.6b) ?  I'm
> not intimately familiar with their package naming convention , and I need to
> make sure the build number increase is some kind of patching . In other
> distro's ( Mandrake ) , you can find rpm's for 0.9.6e and above which is
> what openssl group recommend - apparently Redhat just bump up the build
> number of the base package.
> 
> Can anyone doubly verify that the openssl-0.9.6b-28 has all the patches to
> prevent SSL exploits ( like the openssl-0.9.6e-g releases from the openssl
> group ) ? I'm replacing some IIS servers , and last thing I want to do is
> have the Apache servers hit with that worm/SSL exploit  !

Vendors can do two things with security errata:  upgrade to the newer
released versions which fix the problem (assuming there is one), or patch
whatever version they actually shipped, backporting the fixes from the
released version if necessary.  Some vendors almost always do the former
(Mandrake), some almost always do the latter (Debian), and some are fairly
evenly split, depending on the specific package (which is what Red Hat seems
to do).

In this particular case, the problem is that OpenSSL does not have a stable
API / ABI.  Red Hat has backported the security fixes to openssl-0.9.6b,
rather than upgrade to a new OpenSSL version (openssl-0.9.6e+) and force
customers to adapt code / recompile / download 50 other errata for packages
which are dependent on openssl....

If you use rpm -q --changelog openssl after you install the new package,
you'll see why the new builds of the same software (openssl-0.9.6b-24,
openssl-0.9.6b-29, etc.) were made and what the new build is fixing.  You
can also read the Red Hat errata on the web, but what either will tell you
is that openssl-0.9.6b-28 fixes the CERT advisory....

All this, of course, is why surveys like Netcraft's recently hyped "no one
is upgrading openssl" <http://www.netcraft.com/survey/>, which look blindly
at software versions only, are worthless.

later,
chris


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list