mailing list archives
RE: Patch management tool
From: Steffen Kluge <kluge () fujitsu com au>
Date: Thu, 09 Sep 2004 17:17:13 +1000
On Wed, 2004-09-08 at 02:31, Todd Towles wrote:
I use Yum on my FC2 box. I modified my yum.conf to use all the mirrors
and everything. After doing a Nessus scan on my own box, I saw that my
SSH verion was pre-3.7.1
Not good, yum didn't see it and I had to update my OpenSSH myself.
The current openssh package for FC2 is openssh-3.6.1p2-34, which is the
one FC2 was released with. There are no updates, so yum isn't missing
Keep in mind that RedHat usually backports security fixes into their
maintained package versions, rather than dropping in new versions that
often entail changed functionality as well. Most large distro's do it
that way, for obvious reasons of stability and compatibility.
Simple-minded vuln scanners that raise alerts based on reported software
versions alone, rather than testing for the presence of specific
vulnerabilities are just dumb (yet annoyingly common).
The openssh package that comes with FC2 has no publicly known
vulnerabilities, and contains fixes for all published security bugs,
including those discovered in fall 2003. You can verify that by reading
the changelog (rpm -q --changelog openssh) or by reading RH's errata.
Only install latest versions from the original maintainers if you need
the added functionality and have tested their compatibility with your
environment. Unless you like a gamble...
Description: This is a digitally signed message part