On Tue, 2003-07-29 at 10:54, Tru64 User wrote: > Hi, > > i checked my openssl, it was version 0.9.6x > (vulnerable) > MandrakeUpdate, does not offer its upgrade via > security updates. > > OK. So? Download openssl-0.9.7b (No rpm available) > OK. Make one of my own (rpm -tb .....tar.gz), Fine. > > Try installing (complains about conflicting stuff!) > rpm -e openssl-0.9.6* ;libopenssl0-0.9.6i-1.4mdk is > needed by a bunch of stuff. > So, I used rpm -i --force openssl-0.9.7b-..... > > OK, Good. But libopenssl0-0.9.6i-1.4mdk was not > overwritten! So? manually adjusted link for > libssl.so.0 to point to libssl.so.0.9.7 instead of > libssl.so.0.9.6, and likewise for libcrypto.so.0 > > OK. Good. Openssl upgraded. > > #ssh otherhost; > OpenSSL version mismatch. Built against 90607f, you > have 90702f > > Arrrggghhhh.....i will have to built my own ssh then, > no rpm for 3.6p1 available. Try building my own: > rpm -tb openssh-3.6p1.tar.gz > error: x11-askpass.... missing. > > Duh!! Downloaded that from some site: > one more try: error: failed build dependencies: > XFree86-imake is needed by openssh-3.6p1-2 > > Can't locate XFree86-imake rpm!! > Gave up making openssh rpm, I will perform manual > install: > ./configure --with-tcp-wrapper > Error; libwrap not found (I have tcp-wrapper rpm > installed though!!) > Google for libwrap library, found an rpm for it: > rpm -ivh libwrap-7.6.30.i386.rpm ; Error:error: failed > dependencies: > tcp_wrappers < 7.6-28 conflicts with libwrap-7.6-30 > > So, now I have to uninstall tcp_wrappers to install > libwrap > (If you are still reading, do you even remember the > original problem?????) > > Why are things this complicated???? > > _Thanks > > Richard >
The problem comes with exactly what you are running into. But you are yelling at the messenger not the sender. The problem isn't rpm but rather openssh. When openssh people fix a "bug" they don't have to worry about dependency on anything but openssh. MDK, or for that matter RH SuSE etc etc etc, have to worry about all of the applications built against the previous version as well. So what Vincent does (or the package maintainer.) is to look at the changes from the version with the bug to the version with the fix. Weed out all of the "new features" that have nothing to do with the bug and that will/might break other application built against this libpackage (both in building new apps, and in running installed apps.) then package it and release it as a new build. Not necessarily with the new version name and number, because it might not be the complete new version but it is new in that it contains the needed security/bug fix so that your computer is less vulnerable to the black hats of the world. Sometimes this will hold true even from one point release to the other. Because some libs. (take for an extreme example glibc) are so pervasive that they require massive application rebuilds and spec file re-thinks. This isn't pretty. (Which IMHO is why .0 release are often the buggiest of the lot.) The solution is ... use the update rpms. They are the ones that contain the security fixes. Read the MDK errata for your release. http://www.mandrakelinux.com/en/errata.php3 Read the security notices for your release. http://www.mandrakesecure.net/en/advisories/ And check there to be sure that you really do need the update you are trying to do. It may actually already be on your box or in the version in updates. Last thing you could do is to ask here if a == b? If you find something that Vincent or the maintainer of the package has possibly missed. I know they are willing to listen and take action. This has been proven over and over again. (case in point, build 24mdk of the kernel had barely made it to the mirrors when on of the users here found a serious security hole, Within 24 hours a new kernel release fixing the holes had been completed, checked and mirrored. That's moving.) When you get down to lib level often you will be faced with a choice. Trust the security updates. Turn your into MDK-From-Scratch (as opposed to Linux-from-Scratch) or ask Vincent et al. BTW the build version in 9.1 and the update in < 9.0 contains the security fix and does do privilege separation. Which I'm guessing is why you wanted 3.6 Also... 3.6 for Linux is still pretty alpha-ish. (according to some of the openbsd guys I know.) However alpha for those guys is release for M$. Remember there is a reason the word "Bleeding" is used in reference to being just beyond the cutting edge. James
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
