On Thursday 27 May 2004 13:04, Chalonec Roger wrote:
> Our security folks detected an openSSH vulnerability in a fully patched
> FC1. They said that it was running version 3.7.0 and needed to go to
It should not -> in FC1 it's 'rpm -q openssh' = 'openssh-3.6.1p2-19'!
> 3.7.1 . Should this be the case if FC1 is fully patched? Can anyone
> point me to directions on how to upgrade to 3.7.1 or recommend a better
> openSSH version?
Better do 'rpm -q openssh --changelog | less' and see if this
vulnerability is patched (you have to ask them exactly what vulnerability
do they have in mind). Many programs report vulnerabilities based on the
program version (not actual check), so I guess this is the case here. You
can see openssh-3.7p1.tar.gz is from 16-Sep-2003 and in the changelog
there are buffer overflow fixes from 17 and 18 Sep-2003.
>
> Thanks,
>
> Roger
Check the list, RedHat backports all fixes from the new versions. This
way you don't have all new features (and unknown bugs), but still have all
fixes from the new versions (as someone from RedHat allready explained).
--
Regards,
Doncho N. Gunchev Registered Linux User #291323 at counter.li.org
GPG-Key-ID: 1024D/DA454F79
Key fingerprint = 684F 688B C508 C609 0371 5E0F A089 CB15 DA45 4F79
