[ale] Redhats package naming convention

James P. Kinney III jkinney at localnetsolutions.com
Tue Sep 17 17:08:25 EDT 2002


Even as a longtime RedHat user, I have to side with Michael's take on
this. The changelog view, while useful, does not make it clear that this
build number is OK to use.

There are other "gotcha's" with the openssl package. It is keyed to
several other aspects of the encryption stuff on RedHat Linux. It is not
possible to replace it (easily) with the 0.9.6g release, which is
clearly OK for the security patches. The main library is called
/lib/libcrypto.so.0.9.6b (as well as /lib/libssl.so.0.9.6b) which would
be renamed /lib/libcrypto.so.0.9.6g, which of course breaks
functionality. Which is why the back port of patches. 

But a better changelog line would have cleared it up completely. 

On Tue, 2002-09-17 at 13:53, Michael Hirsch wrote:
> On Tue, 2002-09-17 at 11:10, Chris Ricker wrote:
>  
> > If you use rpm -q --changelog openssl after you install the new package,
> > you'll see why the new builds of the same software (openssl-0.9.6b-24,
> > openssl-0.9.6b-29, etc.) were made and what the new build is fixing.  You
> > can also read the Red Hat errata on the web, but what either will tell you
> > is that openssl-0.9.6b-28 fixes the CERT advisory....
> 
> Actually, that is my problem with them--they don't say this.  What they
> say is:
> 
> * Mon Jul 29 2002 Nalin Dahyabhai <nalin at redhat.com> 0.9.6b-25
> 
> - add patch to fix ASN.1 vulnerabilities
> 
> * Thu Jul 25 2002 Nalin Dahyabhai <nalin at redhat.com> 0.9.6b-24
> 
> - add backport of Ben Laurie's patches for OpenSSL 0.9.6d
> 
> and the errata are not much more informative.  The openSSL packages are
> up to a higher revision than d (g, I think).  Are they needed?  How is
> the next patch related to the newer updates of openSSL? I can't find out
> without downloading the patches and comparing.
> 
> My wish is that RedHat would issue a statement saying whether their
> recent updates fix the problem with this worm, or not.
> 
> --Michael
> 
> 
> > All this, of course, is why surveys like Netcraft's recently hyped "no one
> > is upgrading openssl" <http://www.netcraft.com/survey/>, which look blindly
> > at software versions only, are worthless.
> 
> True.  I recently scaned a box with Nessun and it had this same
> problem.  It reported vulnerabilities based on version numbers of
> mod-ssl.
> 
> Michael
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list