Topic: Damn.. so many security updates...

[guestHH]

- Apache
- mod_ssl
- perl

can't keep up with it....

[Ergin]

Hi there !

Care to share some more ?

[guestHH]

well.... subscribe yourself to the RedHat security mailing lists and you'll know all detaisl

[Ergin]

I understand your point... *** sigh ***

I don't know if there is anything I can say to comfort you BUT considering how often we have to patch (at work) to keep W2K servers running this is quite acceptable.

I myself was looking for an upgrade RPM for apache-1-3.27 and I finally found somewhere. Well, when I tried to upgrade apache I couldn't since it required glibc 2.3 etc etc...

So I took my test server (and old Pentium 200MMX and tested and so far it looks OK.

My point is, the upgrades for RH8 and RH9 are quite in time and RH73 daemon packages aren't updated as often as the newer versions. So my next step is installing all the developer packages and creating my own RPMS... I am NOT really sure if I can pull this off but I sure will it a try. (I don't think my wife will appriciate me spending more time in front of the computer)...

I understand how you feel... Just hang in there.

[Byte]

take alook at this http://freshmeat.net/projects/rhupdate/?topic_id=147%2C253


Its free and checks your machine for updates, easy to install/complie we use it for all our machines saves it gives you a list of whats needs updating and you can install what you want it's for those who cant afford the Redhat Network Updates using the GUI instead you use good old command line

Hope this helps

Byte

[Ray Mitchell]

Don't the updates that Mitel release keep a standard server secure ?

I was under the impression that a lot of the security notifications from other sources often do not apply to the Mitel sme server, mostly because sme does not use the specific versions of rpms that are affected.
My understanding was that Mitel release security fixes when absolutely necessary.
It also seems that many of the security tests out there will find false positives, and that the sme server is not actually compromised even though the test suggests it is.
Have I got it wrong ?

Regards
Ray Mitchell

[Adserg]

Hi Ray

That's my understanding?

Im getting worried now.

Adserg

[dave]

I think Ray's correct in that SME doesn't use many of the modules that standard RedHat will.  In trimming down the number of installed modules, it helps keep the system more secure; fewer installed modules/running processes means less vulnerabilities.  This also means when RedHat posts security issues, these issues may not apply to SME because the module may not be there.  Take a look at the install for RH and compare that with SME.  Last time I downloaded RH ISO's, there was 3 install CD's and a separate documentation CD where SME is a trim single CD install.

Another thing is that SME only firewalls the public NIC in a server and gateway configuration.  In server only, there is no network protection (firewalling) enabled.  This is by design and I believe it's a good one.  The belief is if it ('it' being any TCP/IP packet/datagram) is on the internal network, it's supposed to be.

[Michael Soulier]

guestHH wrote:
>
> - Apache
> - mod_ssl
> - perl
>
> can't keep up with it....

Luckily, we can.

The above are nothing to worry about on the SME. We don't use renogotiation, and there is no exposure for the CGI module in supported code. That said, unsupported code using the CGI module should be audited by the authors to ensure no vulnerability.

Cheers,
Mike