[PLUG] Ubuntu security issues

Ronald Chmara ron at Opus1.COM
Sat Oct 20 04:00:38 UTC 2007


On Oct 19, 2007, at 1:00 PM, Ed Sawicki wrote:
> Charlie Schluting wrote:
>> On 10/19/07 12:26 PM, Ed Sawicki wrote:
>>> I realize that Dapper is not the latest Ubuntu but shouldn't
>>> important programs like openssl and openssh be kept current
>>> regardless?
>> Have you checked the patch levels of those packages? Just because the
>> version is older, doesn't mean security fixes weren't applied..
> How would I do that?
>
> Here's what dpkg says:

Snip_>

> Version: 0.9.8a-7ubuntu0.4

That's *one* possible clue that a vendor has released a "patched"  
version, as compared to a "newer release version", uhm... version...

OpenSSL (indeed, most projects) do not release tons of versions with  
custom tags like '-7ubuntu0.4'.

Vendors are at their discretion to patch based on their philosophy,  
whether dependancies will create more nightmares, etc.

This can present an issue similar to the following Scenario:
A F/OSS project issues foo-1.0.a
A distro then includes foo-1.0.a
-A major security flaw is found in foo-1.0.a
-A patch is released by the project (not distro), foo-1.0.b
-Another patch is released by the project (not distro), foo-1.0.c,  
which eliminates the need for the prior patch.... by totally changing  
the default behavior of foo, thus possibly altering an unknown number  
of other packages and user compiled binaries.

What's a distro to do?
Update all update/release code to the .c version, possibly breaking  
many more things in the process?
Merge patches between .b and .c, based on the distro's philosophy and  
expansive testing?
Only keep the .b patches and features, to simply preserve back  
compatibility?

Different distros can (and do) do very different things with this  
problem.

-Bop



More information about the PLUG mailing list