Chuck, I don't intend to beat on you but perhaps you can shed some light on what to me is very confusing about the way RH is handling the security fixes.
I guess it would be fair to say, at least in my case, that I unnecessarily updated my openssh using the tarball at openssh.org to 3.5p1. What led me to do this was issuing the "ssh -V" command and seeing the 3.1p1 version id show up on the console and finding the latest rpm download is: well.... I guess this is a little confusing too. The redhat download centers show for RH 7.3 the file: openssh-3.1p1-3.i386.rpm 213 KB 04/17/2002 12:00:00 AM and for RH 8.0 the file: openssh-3.4p1-2.i386.rpm 213 KB 09/03/2002 09:33:00 PM Looking at the date stamp in the RH 7.3 centers I'd say there's little chance that this isn't vulnerable to the bug found this summer unless RH also back dating the fixes? Is it fair to say, then, that the errata page is THE source of information as to whether or not a particular program is up-to-date, security wise? Has any thought been given, to the best of your knowledge, to show that a piece of software has been modified to provide a security fix when the user does a <program> --version at the console? Especially when the version shown is known to have a problem. Regards, Mike Klinke On Friday 13 December 2002 18:37, Chuck Mead wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > or 7.3). > BH>> > BH>> Psyche: https://rhn.redhat.com/errata/rh8-errata.html > BH>> Valhalla: https://rhn.redhat.com/errata/rh73-errata.html > BH>> Enigma: https://rhn.redhat.com/errata/rh72-errata.html > BH>> Seawolf: https://rhn.redhat.com/errata/rh71-errata.html > BH>> > BH> > > Having personally lived through the openssh thingy last summer (prior to > beginning my employment with RH) I know full well that the openssh thing > was fixed the same week the bug was reported but it was fixed in an > errata which was released the same week but based on the current > version. To wit: https://rhn.redhat.com/errata/RHSA-2002-155.html > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
