Blackhole

[Ed Wilts]

On Mon, Apr 11, 2005 at 08:34:23PM +0100, Chris Kenward wrote:
> Hi Reuben
> 
> > He is using RHEL 3. The openSSH package contains the necessary
> > security fixes / backport. I would really recommend that he
> > keeps using Redhat supplied package rather than installled his
> > own version of SSH. 
> 
> Thanks for that - I was just about to go make those changes when I read your
> post. 

Don't go blindly making changes like this without researching the
implications.  You don't know any of us here and occasionally some
posters will give out bad advice (I've even been known to be wrong once
or twice).

I guess that's the whole idea of buying the RHN versions of these
> packages, so that we are pretty sure they have been patched to stop the
> holes?

Exactly.  Every package you replace from Red Hat's distribution puts you
farther and farther from a stable, supported operating system release
unless you're going to be watching for all the fixes for every one of
those packages and understand *exactly* how fixes are going to be
handled by the upstream providers.

Red Hat's policies for fixing security holes are different than other
providers.  Red Hat won't, unless absolutely necessary, break binary
compatibility within a release.  In other words, they'll backport the
fix so that every other package still works without changes.  Other
providers simply give you the "latest and greatest" and you may need to
re-compile other application or in some cases update the code.  ssl is a
very good example of this.

In short, you're paying Red Hat a lot of money to give you a stable and
secure set of packages.  Don't replace them blindly.
 
-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program