 | | | how to verify a vulnerability is closed | how to verify a vulnerability is closed 2005-01-26 - By Lloyd H. Meinholz
Back
How would one go about verifying that patch for a vulnerability (ex. CVE
number CAN-2003-0693) has been back-ported on a RHEL3 system?
I'm trying to go through the errata, but I'm only finding references to
RHEL 2.1 and am getting a little frustrated.
What has happened is that we have just had a security audit performed
and my RHEL3 systems show up as vulnerable to CVS number CAN-2003-0693
(a buffer overflow in openssh). Versions prior to OpenSSH 3.7 were
vulnerable. The latest OpenSSH package for RHEL3 is 3.6.1p2-33.30.3.
I know that RedHat backports features, security patches etc., but how
can I verify CVE number CAN-2003-0693 has been patched? I've tried
google, rhn and looked at rpm flags and can't figure out how to do this...
While I'm on the subject, it seems like it is more work to backport
features/bug fixes (then test) than to simply upgrade the package (then
test) and it seems like it would carry similar risk as simply upgrading.
Why is backporting considered more stable than backporting features?
Anyway, I just need some way of proving to my auditors that
CAN-2003-0693 is actually patched in RHEL3. Does anyone have any ideas
or pointers? Thanks,
Lloyd
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|