Topic: blades are dangerous

[hanscees]

Hi,
I updated my 512 by using the blades.
However they keep on giving errors and then later it says they have installed fine.

I think this is unacceptable.

I updated the last blade to fix the apache hole, but rpm -q apache says 1.3.22.6es1

The apache website says that below 1.3.23 hasholes in it.

How can i find out what version I have and whether it is a safe version? I think the blades or info about blades should print test protocols so you can check whether they really went ok.

this blade error stuff really drives me crazy. Here Iam using open source, and yet I have no info to check if I am running safe software again.

hc

[hanscees]

sorry,
apache 1.3.26 is safe

hc

[Dan Brown]

You find out what version you have by doing what you did--rpm -q.  1.3.22-6es1 contains the security patches.

[hanscees]

I am glad to hear that!

But still, where can I find what the blade 'should have' installed if you would not tell me here (not that i don't apreciate that you did)?

[hanscees]

sorry to keep posting twice, but,

I am also using an e-smith version 4.12. Is the safe apache version for that one the 1.3.19.5 that is an update listed at the ftp site?

I am in the proecss of upgrading but it takes a while. And since everything but apache is not reachable to the outside it was safe until recently.

hc

[Dan Brown]

Well, if it says it's installed, it is, including all the packages that comprise it.  I guess if you want the list, you can do rpm -qR SMEServer-5.1.2_Update2-04

[Rich Lafferty]

> Here Iam using open source, and yet I have no info to check if I am running
> safe software again.

Sure you do! You can read the changelog for the RPM:

$ rpm -q --changelog apache
* Thu Jun 20 2002 Charlie Brady 1.3.22-6es1

- add RedHat's chunk encoding fix to local build.

* Tue Jun 18 2002 Nalin Dahyabhai 1.3.22-6

- backport chunked encoding fix from 1.3.26
[...]

But if you don't trust the release announcement, I'm not sure you'll trust the
changelogs either. That's covered, too -- the source RPMs are available on
ftp.e-smith.com, and you can verify the contents of the patch that's applied and
ensure that it's being applied.

Cheers,
--Rich

[hanscees]

well, as responsive as you are, which is definintly good, I think the blade info should include a way to check if all went well with the install. Especially when it concerns a security-hole fix.

That stays my opinion.

hc

ps, i would still ike to know about whther there is a version for 4.12 of apache that is patched.

[Dan Brown]

Again, if the blades panel reports that the blade is installed, it is.  What more do you need?

No, there is no Mitel-official upgrade for apache for 4.1.2.  Some people have upgraded to the RPMs from rpms.arvin.dk with success.

[Michael Smith]

Open source is great ... but of course there's nobody holding your hand if you don't pay for the privilege.  So think like a hacker ... portscan your machine and map the vulnerabilities yourself, then fix 'em.  Same as securing your home; you walk around and think of ways someone could get in, then close the hole.

[hanscees]

> - add RedHat's chunk encoding fix to local build.
>
> * Tue Jun 18 2002 Nalin Dahyabhai 1.3.22-6
>
> - backport chunked encoding fix from 1.3.26
> [...]

thanks!

>
> But if you don't trust the release announcement, I'm not sure
> you'll trust the
> changelogs either. That's covered, too -- the source RPMs are
> available on
> ftp.e-smith.com, and you can verify the contents of the patch
> that's applied and
> ensure that it's being applied.

I am not in any way untrustful of your sourcecode. But I have my doubts on *any* update code written for standard systems, while mine is somewhat tweaked. That is all. When i see a lot of error messages I wantto double check. That is all.

hc


>
> Cheers,
> --Rich