 | | | Stupid Question | Stupid Question 2002-07-02 - By Frank Tanner III
Back
Thank you. That makes sense. I wasn 't expressing a
gripe, just asking as to why it was done this way
rather than testing and updating OpenSSH.
--- Jay Turner <jkt@(protected) > wrote:
> On Tue, Jul 02, 2002 at 05:13:02AM -0700, Frank
> Tanner III wrote:
> > Maybe someone can answer the logic behind why it
> is
> > that Red Hat keeps patching against an old version
> of
> > OpenSSH, rather than completely updating it.
> >
> > There have been three revisions to OpenSSH since
> the
> > version that Red Hat released with v7.3, yet they
> > continue to patch against version 3.1 rather than
> test
> > and release 3.4.
> >
> > Even in Rawhide there is only version 3.1.
> >
> > Patching against an "out dated " application rather
> > than releasing the newer version seems kind of
> > backwards to me. Maybe someone can explain the
> logic
> > behind this. I know alot of Red Hat employees
> lurk on
> > this list and unofficially answer questions from
> time
> > to time. I am hoping that one of them can give me
> an
> > answer.
> >
> > Thank you.
>
> It 's actually pretty simple. We continue to apply
> patches to the code that we
> know and that has been proven in the field. Take
> the latest openssh errata .
> . . the one as a result of a exploit which we have
> yet to receive the full
> details about. Anyway, a couple of people came out
> with statements on the
> lines of "We have no clue what 's actually wrong, but
> PrivSep is not vunerable,
> so just deploy this new version of openssh which has
> PrivSep and you will be
> fine. " This is code which has been in existance for
> a grand total of 3 months
> at this point. Red Hat did not feel comfortable
> throwing three month old code
> out to the customers when it affected something as
> critical as openssh. So
> instead we did some more digging to find out just
> what the issue was with
> openssh and it came to be known that, as shipped,
> Red Hat 's openssh wasn 't
> vunerable. Only if the customer had changed the
> default configuration would
> they be subject to this latest security exploit.
> So, we released an errata to
> fix up that aspect of the package, but we are also
> looking at the latest cuts
> of the openssh code, so that we can get our hands
> around it and introduce it
> in the future. Once we feel that the code is "safe "
> we will make an errata
> and toss it into the wild.
>
> Thanks,
> jkt
>
>
>
> __ ____ ____ ____ ____ ____ ____ ____ ____ ____
> Valhalla-list mailing list
> Valhalla-list@(protected)
>
https://listman.redhat.com/mailman/listinfo/valhalla-list
__ ____ ____ ____ ____ ____ ____ ____ ____ ____ __
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
|
|
|