[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Latest UTB Newsletter



On Fri, 2003-03-14 at 10:55, Mike A. Harris wrote:
> On 13 Mar 2003, Philip Wyett wrote:
> 
> >> Additionally, I don't think that there are any known security holes in
> >> Red Hat's products.  In the specific case you mention, Red Hat back
> >> ported the fix to zlib 1.1.3.  See
> >> http://rhn.redhat.com/errata/RHSA-2002-026.html.  Note that this errata
> >> does not include RHEL AS because it shipped after the errata was
> >> released, so it included the fix from day one.  Hence no errata was
> >> necessary.  If you see other security issues that might not have been
> >> addressed, please check the errata lists at
> >> http://rhn.redhat.com/errata, and, if they haven't been, email
> >> security redhat com 
> >
> >No, the version in AS is 1.1.3 and until someone updates the rpm to say
> >it's 1.1.4, it is 1.1.3. So they maybe back ported the fix, but there is
> >no direct info related to AS that says it has the fix and it is not an
> >AS users job to go search other RH versions errata or checking the 1.1.3
> >source rpm or rpm --changelog and seeing if the issue has been
> >addressed.
> 
> The 1.1.3 RPM will not be updated to say it is 1.1.4 because it 
> is not 1.1.4.  Red Hat RPM packages, in addition to containing 
> the version of the software that is indicated, contain various 
> bug fixes, security fixes, enhancements and other patches that 
> are a part of the OS engineering process.
> 

Ok, I may have put it slightly wrongly and stated 'back ported the fix'
when it should have been generic, say 'back ported a fix'. Other than
that I stated what you have that until it's says it's 1.1.4 it's not.

<snip>

> Please do not claim that a given Red Hat product ships with a
> given security hole such as above without specifically confirming
> that the problem does exist.  Otherwise you are just spreading
> FUD.
> 

I did not state Red Hat shipped anything with a given security hole. I
was merely attempting to stress the pointlessness of the previous post
pointing at another Red Hat versions errata and the assertion that AS
post dated this version and must have any given fix.

Oh, don't do the FUD thing on me as it's totally misplaced.

> If you want to know if an issue is fixed, you have several 
> options:
> 
> 1) Check the RPM changelog
> 

Nope, usually poor descriptions and no terms of reference e.g.

* Wed Jan 30 2002 removed_name <removed redhat com> 1.1.3-25.7

- Fix double free

> 2) Check the src.rpm for patches
> 

Don't have the time to do this kind of trawling as don't many others.

> 3) Telephone your Red Hat technical support representative
> 

An option indeed.

> 4) Ask other users on a mailing list
> 

These folks can always be counted on to help. ;)

> If those are not enough options, I'm not sure what exactly you 
> would be requesting of us.  I'm sure if anyone out there is 
> curious about wether or not our Red Hat Enterprise Linux products 
> contain a given security fix or not, that our sales department 
> would be more than glad to do the dirty work of finding out for 
> you before you make your purchase order.
> 

I too am sure that anyone ready to part with the cash and having queries
are going to ask the sales dept to clarify before the deal is done -
Would be a bit daft not too. :)

Regards

Phil

-- 

ICQ: 135463069
Email: philipwyett dsl pipex com

--

Public key: http://www.philipwyett.dsl.pipex.com/gpg/public_key.txt

--

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]