On Thu, 19 Sep 2002, Tzafrir Cohen wrote: > What is the version of openssl installed? I only found static version of > it. This means that openssh has to be rebuilt if openssl is to be rebuilt. > > Any reason not to install the openssl-0.95a RPMs from redhat's updates for > redhat 6.2? (from 6-aug)?
I just went over the redhat errata for RH6.2 and applied the relevant stuff. Below is what I applied: I've decided to follow Redhat's errata for Redhat 6.2: http://rhn.redhat.com/errata/rh62-errata.html Note that I generally folowed the text of redhat's advisories, and didn't bother checking other places. There was enough to check as it is. libng: """"" libpng-1.0.5-3 and libpng-devel-1.0.5-3 were installed. Upgraded to libpng-1.0.14-0.6x.3 (and -devel) See: http://rhn.redhat.com/errata/RHSA-2002-151.html It is probably not explotable, as I can't think of a program on IGLU that procecesses a png image from an untrusted source using libpng (the original advisory was regarding mozilla) from untrusted sources Anything statically linked with that? glibc: """"" glibc-2.1.3-22 and glibc-devel-2.1.3-22 was installed. Upgrading to glibc-2.1.3-26 (and -devel) See http://rhn.redhat.com/errata/RHSA-2002-166.html http://rhn.redhat.com/errata/RHSA-2002-139.html http://rhn.redhat.com/errata/RHSA-2002-133.html http://rhn.redhat.com/errata/RHSA-2001-160.html http://rhn.redhat.com/errata/RHSA-2001-002.html The timezone information still needs an update. Later. Anything statically linked with it? bind: """" http://rhn.redhat.com/errata/RHSA-2002-133.html A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. Red Hat Linux does not ship with any applications or libraries that link However, the fix for that is an upgrade to bind 9.2.1 . No thank. At least not now. Note that this means that next major bind volnurability will require either a manual patch or an upgrade to bind 9 "under fire". Currently installed version: bind-8.2.3-0.6.x , which is from the previous advisory: http://rhn.redhat.com/errata/RHSA-2001-007.html openssl: (2002-08-05) """"""" openssl had not been installed from an RPM. on /usr/local/ there is openssl, though only a .a archive. no .so library. Which programs were linked with it besides openssh? I have installed openssl-0.9.5a-29 and openssl-devel-0.9.5a-29 . There are also openssl-perl and openssl-python packages, which I have not yet installed. http://rhn.redhat.com/errata/RHSA-2002-160.html http://rhn.redhat.com/errata/RHSA-2002-155.html util-linux: """""""""" util-linux-2.10f-7 was installed Upgraded to util-linux-2.10f-7.6.2 http://rhn.redhat.com/errata/RHSA-2002-132.html Fixes a hole that uses some race conditions to give a user root permisions. tcpdump, arpwatch, libpcp: """"""""""""""""""""""""" tcpdump-3.4-19 and arpwatch-2.1a4-19 were installed. libpcap was not installed. Upgraded to tcpdump-3.6.2-11.6.2.0 , arpwatch-2.1a11-11.6.2.0 http://rhn.redhat.com/errata/RHSA-2002-094.html http://rhn.redhat.com/errata/RHSA-2001-089.html The problem is problematic handling of some packets, which may lead to buffer overflows. fetchmail: """"""""" fetchmail-5.3.1-1 is installed Updated to fetchmail-5.9.0-9 http://rhn.redhat.com/errata/RHSA-2002-047.html http://rhn.redhat.com/errata/RHSA-2001-103.html http://rhn.redhat.com/errata/RHBA-2000-106.html Seem to fix some bugs with access related to mal-formed data from a server. sharutils: """"""""" sharutils-4.2.1-2 was installed Upgraded to sharutils-4.2.1-2.6.x See http://rhn.redhat.com/errata/RHSA-2002-065.html Fixes various insecure file handling issues (?). Anybody actually uses sharutils? zlib: """" Wow, this is a big one! It also affects some packages that have internal zlib versions. There are some other fixes that were piggybacked on this fix: http://rhn.redhat.com/errata/RHSA-2002-026.html Affected packages: zlib, dump, rsync, kernel (others are not installed) Regarding the kernel: our kernel is probably older. However, it seems that the only way the zlib code is using external data is with ppp compression, which we don't use (comments?) rsync-2.4.1-2 was installed. Updated to rsync-2.4.6-3.6 This should also fix another small security issue with rsync. See also http://rhn.redhat.com/errata/RHSA-2002-018.html zlib-1.1.3-6 and zlib-devel-1.1.3-6 were installed Updated to zlib-1.1.3-25.6 (and -devel) See also http://rhn.redhat.com/errata/RHSA-2000-100.html dump-0.4b19-5.6x and rmt-0.4b15-1 were installed Updated to dump-0.4b19-5.6x.1 and rmt-0.4b19-5.6x.1 php: """ Version of php3 is up-to-date TODO: Version of php4 (installed from source) seems to be 4.0.1pl2 , according to /usr/include/php/php_version.h (no RH packages for 6.2 are available) http://rhn.redhat.com/errata/RHSA-2002-035.html ucd-snmp: """""""" ucd-snmp-4.1.1-2 and ucd-snmp-utils-4.1.1-2 were installed Updated to ucd-snmp-4.2.3-1.6.x.3 (and -utils) http://rhn.redhat.com/errata/RHSA-2001-163.html http://rhn.redhat.com/errata/RHSA-2001-101.html http://rhn.redhat.com/errata/RHBA-2001-036.html Fixes a DoS attack on an snmp server. I don't suppose anyone is goind to setup one on iglu any time soon, though. diffutils: """"""""" diffutils-2.7-17 was installed Updated to diffutils-2.7-22.6x http://rhn.redhat.com/errata/RHSA-2001-116.html Fixes a problem of temporary files handling of sdiff mktemp: """""" mktemp-1.5-2 was installed Updated to mktemp-1.5-2.1.6x http://rhn.redhat.com/errata/RHSA-2001-070.html This is a newer version that adds the ability to create temporary directories, and is required by some otther fixes man: """ man-1.5h1-2.6.x was installed. Updated to man-1.5i2-0.6x.5 http://rhn.redhat.com/errata/RHSA-2001-072.html http://rhn.redhat.com/errata/RHSA-2001-069.html Fixes some problems with the man package which can lead to local GID man exploit. tmpwatch: """""""" tmpwatch-2.6.2-1.6.2 was installed Upgraded to tmpwatch-2.8-0.6.x http://rhn.redhat.com/errata/RHBA-2001-104.html Fixes some bugs. Maily one that was trigerred by the man upgrade openldap: """""""" openldap-1.2.9-6 and openldap-devel-1.2.9-5 were installed Upgraded to openldap-1.2.12-3 , openldap-clients-1.2.12-3 and openldap-devel-1.2.12-3 (the programs like ldapsearch were moved to openldap-clients). The server package is not installed. http://rhn.redhat.com/errata/RHSA-2001-098.html Anybody needs this package installed? telnet: """""" telnet-0.16-6 and telnet-server-0.16-6 were instaled Upgraded to telnet-0.17.6x-18 and telnet-server-0.17.6x-18 http://rhn.redhat.com/errata/RHSA-2001-099.html (I believe that the problem is only in telnet-server. And we probably are never going to use it. Still...) elm: """ elm-2.5.3-6 was installed Upgraded to elm-2.5.5-0.62 http://rhn.redhat.com/errata/RHSA-2001-091.html A buffer overflow in the handling of some malformed mail messages procmail: """""""" procmail-3.14-2 is installed Upgrading to procmail-3.21-0.62 http://rhn.redhat.com/errata/RHSA-2001-093.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0905 (The text of the redhat advisory was a nit misleading) Seems to fix an insecure signal handling in the suid program procmail that would have allowd local users gaining root. vim: """ vim-common-5.6-11 and vim-minimal-5.6-11 were installed Upgraded to vim-common-5.7-0.6x, vim-enhanced-5.7-0.6x and vim-minimal-5.7-0.6x http://rhn.redhat.com/errata/RHSA-2001-008.html Actually this could be worked around by a sensible .vimrc I simply don't want to assume anything about root's .vimrc . Besies, I'll use this opprtunity to slightly upgrade vim and install vim-enhanced XFree 3: """"""" XFree86-libs-3.3.6-20 was installed Upgraded to XFree86-libs-3.3.6-29 http://rhn.redhat.com/errata/RHSA-2001-071.html Just in case someone would ike to use an X program from IGLU gnupg: """"" gnupg-1.0.1-1 was installed Upgraded to gnupg-1.0.6-0.6.x http://rhn.redhat.com/errata/RHSA-2001-073.html http://rhn.redhat.com/errata/RHSA-2001-063.html ispell: """""" ispell-3.1.20-25 was installed Upgraded to ispell-3.1.20-27 http://rhn.redhat.com/errata/RHSA-2001-074.html Insecure handling of temporary files sgml-tools: """""""""" sgml-tools-1.0.9-5 was installed Upgraded to sgml-tools-1.0.9-6.2 http://rhn.redhat.com/errata/RHSA-2001-027.html insecure temporary files handling slrn: """" slrn-0.9.6.2-4 was installed Upgraded to slrn-0.9.6.4-0.6 http://rhn.redhat.com/errata/RHSA-2001-028.html Buffer overflow in slrn, using data from read messages joe: """ joe-2.8-42.62 was installed Upgraded to joe-2.8-43.62 http://rhn.redhat.com/errata/RHSA-2001-024.html Joe would automatically read config file fom current directory tcsh: """" tcsh-6.09-4 was installed Upgraded to tcsh-6.10-0.6.x http://rhn.redhat.com/errata/RHSA-2000-121.html Possible symlinks attack ncurses: """"""" ncurses-5.0-12 and ncurses-devel-5.0-11 were installed Upgraded to ncurses-devel-5.0-12 (the ncurses package was already up-to-date) http://rhn.redhat.com/errata/RHSA-2000-115.html http://rhn.redhat.com/errata/RHSA-2001-014.html TODO: """" * rebuild openssh * Zope * Kernel? * php4 -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir
