Penetration Testing mailing list archives
RE: Patch management tool
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Thu, 9 Sep 2004 19:11:22 -0400 (EDT)
which is a shame and a headache for admins doing more then a home desktop. trying to determine pacht levels in redhat is a game unto itself, and is perhaps one reason that it has not penetrated further into the corporate world then it has. Course, I have many other horor stories to tell about redhat <smile>... Thanks, Ron DuFresne On Tue, 7 Sep 2004, Harper, Patrick wrote:
Redhat has always had a habit of patching the vulnerability not the version. While it shows an older version it could be patched. My FC2 system says [root@xxx root]# telnet localhost 22 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. SSH-1.99-OpenSSH_3.6.1p2 But if you go to: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/i386/ Or check here for any advisories http://secunia.com/search/?search=fedora+ssh&w=0 There is no update for SSH. You need to try the actual exploit against the box to see if it is really vulnerable, for redhat/fedora systems an old rev number does not mean an exploitable system -----Original Message----- From: Todd Towles [mailto:toddtowles () brookshires com] Sent: Tuesday, September 07, 2004 11:31 AM To: roman one Cc: pen-test () securityfocus com Subject: RE: Patch management tool Yum works really well, but it shouldn't be your only tool to check for updates. Yum only works with special list of rpm updates. I use Yum on my FC2 box. I modified my yum.conf to use all the mirrors and everything. After doing a Nessus scan on my own box, I saw that my SSH verion was pre-3.7.1 Not good, yum didn't see it and I had to update my OpenSSH myself. Yum is good, but keeping up with software versions, knowing what is installed on your box and what is running, and watching vuln news is one of the best ways. I know this isn't the place for his question, but it isn't totally OT. Vuln scanning your computer with Nessus and other tools can help you find programs that need patches. Everyone on this list knows that you should test what will be used against you. The essence of Pen-Testing. -----Original Message----- From: roman one [mailto:roman () pointyhats com] Sent: Saturday, September 04, 2004 7:24 PM To: 'Milind Nanal'; pen-test () securityfocus com Subject: RE: Patch management tool As mentioned by another on this list, this isn't really the appropriate list for such an inquiry, however, not to leave you without an answer, for any linux distro that uses rpm's, yum - Yellow dog Updater, Modified would fit the need. It's used extensively and is relatively straight forward in implementation. You can find it here: http://linux.duke.edu/projects/yum/ In the future, the focus-linux () securityfocus com would be a better place for a linux related inquiry. HTH roman emperor () ensecure org He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you. -Friedrich Nietzsche, Jenseits von Gut und Bose (1886)-----Original Message----- From: Milind Nanal [mailto:milindyn () rolta com] Sent: Friday, September 03, 2004 5:46 AM To: pen-test () securityfocus com Subject: Patch management tool List, Looking for best free tool /open source solution for Linux operating system patches management. There are commercial tools available like Novell zenworks, Shavlik Technologies. But I am looking for non commercial option. Some thing like patch distribution server which possibly push the recent OS patches to other linux systems. Linux distribution should covering RedHat, Suse other linux flavors. Quick response is highly appreciated. Regards, Milind -------------------------------------------------------------- ---------------- Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization.http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: Patch management tool, (continued)
- Re: Patch management tool Alvin Oga (Sep 07)
- Re: Patch management tool Miles Stevenson (Sep 04)
- Re: Patch management tool - pen-test Alvin Oga (Sep 07)
- RE: Patch management tool roman one (Sep 07)
- Re: Patch management tool Jose Maria Lopez (Sep 07)
- RE: Patch management tool Todd Towles (Sep 07)
- RE: Patch management tool Steffen Kluge (Sep 09)
- Re: Patch management tool Jérôme (Sep 07)
- Re: Patch management tool Jose Maria Lopez (Sep 08)
- RE: Patch management tool Harper, Patrick (Sep 09)
- RE: Patch management tool R. DuFresne (Sep 10)
- RE: Patch management tool Todd Towles (Sep 09)
- Re: Patch management tool Kurt Seifried (Sep 10)
- Re: Patch management tool James Riden (Sep 12)
- RE: Patch management tool Todd Towles (Sep 09)
- RE: Patch management tool Les Bell (Sep 11)