On Mon, October 15, 2007 11:57 am, Matthew Hannigan wrote: > On Mon, Oct 15, 2007 at 11:31:39AM +1000, Voytek Eymont wrote: >> I saw on the amavis list that my present file had vulnerability, so I
> How do you know that for sure? Matthew, I don't, I didn't realize it might be 'back fixed' I just checked '--version' > e.g. the vulnerabilities list says that 4.10 has a vulnerability, but many > (most? all?) distros backport security fixes to older versions > and then re-release. > > You haven't mentioned what distro or version you're using > so I am going to guess Centos4 going from your past posts. Centos 4 and RH73 > So let's have a look at the changelog of the latest rpm: > wget > http://isoredirect.centos.org/centos/4/updates/i386/RPMS/file-4.10-3.0.2. > el4.i386.rpm > > rpm -q --changelog -p file-4.10-3.0.2.el4.i386.rpm |less > > > As expected, it does have security fixes backported, namely > CVE-2007-2799 file integer overflow > CVE-2007-1536 heap overflow > And checking with the latest versions of file from fedora6 and fedora7 > we see that exactly the same two vulnerabilities are fixed there too. > > So I _strongly_ suspect that all you have to do is 'yum update' > and you're fixed, if you're not already. thanks, Matthew so where do I identify changelog /url for RH73 'file' ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
