Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I cannot install Firestarter

From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 15 Jan 2003 09:40:36 -0500 (EST)
On Wed, 15 Jan 2003, Martin Peikert wrote:

[I'm going to nuke this thread unless something interesting comes up, but 
I'd like to point out a few things...]


Actually, if you sign up for RedHat's RHN service, then you can use the

             ^^^^^^^^^^^^^^
Right. You have to sign up if you want to use up2date, but that service 
is not free - you have to pay for that what you can get free if you use 
apt. Ok, that isn't really my problem...


1.  You can get one free account, or at least you could at one point.  If 
you purchase the distribution, you can get one free account for sure.  

2.  Someone had a server out that looked to be functional if you wanted to 
roll your own server side.


Last december I needed to update a box where RH7.2 was installed and 
tried to use up2date for that purpose. I already knew that the version 
of openssl that was installed was buggy, but up2date didn't help to 
update that package to a acceptable version  - the newest available was 
openssl-0.9.6b. As you know, that version was known as insecure long 
before december. I took the sources and built my own rpm.


It's worth noting that just checking version numbers on RedHat *isn't* a 
good way to figure out if a package is or isn't vulnerable.  Redhat adds 
that third number because they often add patches to packages without 
upgrading to the latest and greatest.  For instance, for OpenSSL, if you 
look at the errata for the fixes done in August of 2002, you'll see that 
for RedHat 6.2, they updated 0.9.5a (-29, which indicates a bunch of RH 
patching), but in the same errata note, they updated 0.9.6b (-13) for 7.0 
and 7.1 and 0.9.6b (-28) for 7.2.  So, it's worth noting, though I don't 
know the specifics of the bug you're talking about, it's very possible 
that up2date did actually fix your OpenSSL, and that you just weren't 
aware of it.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: