Home page logo

bugtraq logo Bugtraq mailing list archives

RE: [RHSA-2001:078-05] Format string bug fixed
From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Wed, 20 Jun 2001 14:14:36 +0100

That's great - but did you even *bother* to check if the update works on
RedHat 7.0?

[root () unix-software i386]# cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)

[root () unix-software i386]# rpm -qp --requires exim-3.22-13.i386.rpm

[root () unix-software i386]# rpm -qa --provides | egrep 'libssl|libcrypto'

[root () unix-software i386]# rpm -q openssl --provides
openssl = 0.9.5a-14

[root () unix-software i386]# rpm -Uvh exim-3.22-13.i386.rpm
error: failed dependencies:
        libcrypto.so.1   is needed by exim-3.22-13
        libssl.so.1   is needed by exim-3.22-13

*Wonderful* - you've shipped an update that no-one can apply, unless they
update their OpenSSL package (an update you don't provide). Doubtless you
built the RPM on RedHat 7.1, which has OpenSSL 0.9.6 and libcrypto.so.1

I like RedHat, but this is the third time you've done something like this in
recent months:

1) Splitting glibc into glibc-common and glibc, which meant that the glibc
update could not automatically be applied
2) Breaking the init script for the OpenSSH 2.5.2 release, which meant that
if anyone applied the update whilst logged in over SSH, the SSH daemon
restarted - this was because you switched to using the newer initscripts,
which had a function in them that the older ones didn't.
3) Now this, an (old, not even version 3.30) Exim update that won't apply!

Don't even get me started on the RPM4 update to 6.2, or the LDAP and crypto
libraries (which weren't a core part of the system when you shipped it, but
you made essential later on) - annoyingly enough, after making such sweeping
changes you didn't ship OpenSSH (although you already had OpenSSL) for 6.2.

You might take a lead from Debian's book, and exercise a little bit of
discipline when making your packages, rather than letting a random intern
ship updates to systems that people are using *in production*. Can I make a
suggestion - when developing patches for an operating system, try doing it
on the right version of the damn OS, rather than against RawHide, or
whatever it is you do...

Could you please re-issue this update, compiled on the right system this


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |

-----Original Message-----
From: bugzilla () redhat com [mailto:bugzilla () redhat com]
Sent: 19 June 2001 21:40
To: redhat-watch-list () redhat com
Cc: bugtraq () securityfocus com; linux-security () redhat com;
security () redhat com
Subject: [RHSA-2001:078-05] Format string bug fixed

<snip broken update report>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]