[ale] Redhats package naming convention
Michael Hirsch
mhirsch at nubridges.com
Tue Sep 17 13:53:07 EDT 2002
On Tue, 2002-09-17 at 11:10, Chris Ricker wrote:
> If you use rpm -q --changelog openssl after you install the new package,
> you'll see why the new builds of the same software (openssl-0.9.6b-24,
> openssl-0.9.6b-29, etc.) were made and what the new build is fixing. You
> can also read the Red Hat errata on the web, but what either will tell you
> is that openssl-0.9.6b-28 fixes the CERT advisory....
Actually, that is my problem with them--they don't say this. What they
say is:
* Mon Jul 29 2002 Nalin Dahyabhai <nalin at redhat.com> 0.9.6b-25
- add patch to fix ASN.1 vulnerabilities
* Thu Jul 25 2002 Nalin Dahyabhai <nalin at redhat.com> 0.9.6b-24
- add backport of Ben Laurie's patches for OpenSSL 0.9.6d
and the errata are not much more informative. The openSSL packages are
up to a higher revision than d (g, I think). Are they needed? How is
the next patch related to the newer updates of openSSL? I can't find out
without downloading the patches and comparing.
My wish is that RedHat would issue a statement saying whether their
recent updates fix the problem with this worm, or not.
--Michael
> All this, of course, is why surveys like Netcraft's recently hyped "no one
> is upgrading openssl" <http://www.netcraft.com/survey/>, which look blindly
> at software versions only, are worthless.
True. I recently scaned a box with Nessun and it had this same
problem. It reported vulnerabilities based on version numbers of
mod-ssl.
Michael
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list