[ale] Redhats package naming convention

[Michael Hirsch]

On Tue, 2002-09-17 at 11:10, Chris Ricker wrote:
 
> If you use rpm -q --changelog openssl after you install the new package,
> you'll see why the new builds of the same software (openssl-0.9.6b-24,
> openssl-0.9.6b-29, etc.) were made and what the new build is fixing.  You
> can also read the Red Hat errata on the web, but what either will tell you
> is that openssl-0.9.6b-28 fixes the CERT advisory....

Actually, that is my problem with them--they don't say this.  What they
say is:

* Mon Jul 29 2002 Nalin Dahyabhai <nalin at redhat.com> 0.9.6b-25

- add patch to fix ASN.1 vulnerabilities

* Thu Jul 25 2002 Nalin Dahyabhai <nalin at redhat.com> 0.9.6b-24

- add backport of Ben Laurie's patches for OpenSSL 0.9.6d

and the errata are not much more informative.  The openSSL packages are
up to a higher revision than d (g, I think).  Are they needed?  How is
the next patch related to the newer updates of openSSL? I can't find out
without downloading the patches and comparing.

My wish is that RedHat would issue a statement saying whether their
recent updates fix the problem with this worm, or not.

--Michael


> All this, of course, is why surveys like Netcraft's recently hyped "no one
> is upgrading openssl" <http://www.netcraft.com/survey/>, which look blindly
> at software versions only, are worthless.

True.  I recently scaned a box with Nessun and it had this same
problem.  It reported vulnerabilities based on version numbers of
mod-ssl.

Michael


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.