[PLUG] Ubuntu security issues
Ronald Chmara
ron at Opus1.COM
Sat Oct 20 04:00:38 UTC 2007
On Oct 19, 2007, at 1:00 PM, Ed Sawicki wrote:
> Charlie Schluting wrote:
>> On 10/19/07 12:26 PM, Ed Sawicki wrote:
>>> I realize that Dapper is not the latest Ubuntu but shouldn't
>>> important programs like openssl and openssh be kept current
>>> regardless?
>> Have you checked the patch levels of those packages? Just because the
>> version is older, doesn't mean security fixes weren't applied..
> How would I do that?
>
> Here's what dpkg says:
Snip_>
> Version: 0.9.8a-7ubuntu0.4
That's *one* possible clue that a vendor has released a "patched"
version, as compared to a "newer release version", uhm... version...
OpenSSL (indeed, most projects) do not release tons of versions with
custom tags like '-7ubuntu0.4'.
Vendors are at their discretion to patch based on their philosophy,
whether dependancies will create more nightmares, etc.
This can present an issue similar to the following Scenario:
A F/OSS project issues foo-1.0.a
A distro then includes foo-1.0.a
-A major security flaw is found in foo-1.0.a
-A patch is released by the project (not distro), foo-1.0.b
-Another patch is released by the project (not distro), foo-1.0.c,
which eliminates the need for the prior patch.... by totally changing
the default behavior of foo, thus possibly altering an unknown number
of other packages and user compiled binaries.
What's a distro to do?
Update all update/release code to the .c version, possibly breaking
many more things in the process?
Merge patches between .b and .c, based on the distro's philosophy and
expansive testing?
Only keep the .b patches and features, to simply preserve back
compatibility?
Different distros can (and do) do very different things with this
problem.
-Bop
More information about the PLUG
mailing list