On Wed, Jun 25, 2008 at 01:58:22PM +0300, Ag. D. Hatzimanikas wrote: > > I've gathered this information about vulnerable packages (could be more). > > > PACKAGE | LINK| BOOK VERSION | RESOLUTION| > ____________________________________________ > Ruby | [1] | AFFECTED | Upgrade | > Freetype | [2] | AFFECTED | Upgrade | > Libvorbis | [3] | AFFECTED | [9] | > Openssl | [4] | AFFECTED | Upgrade | > Imlib | [5] | AFFECTED | [10] | > Libxslt | [6] | AFFECTED | Upgrade | > Mplayer | [7] | AFFECTED | Upgrade | > Libpng | [8] | AFFECTED | Upgrade | > ============================================ > So, last night I couldn't sleep - again [ for people in the UK whose doctors are under pressure to prescribe: Symvastatin - just say no! ] and I thought I'd do some photo editing on my 6.3 box, until I remembered that firefox needed to be updated there. And by a somewhat circuitous route I got back to here.
Tonight, I was so pleased that I'd got the hang of 'svn merge' that I overlooked I wasn't applying the patch (thanks, Randy), so clearly that is my first task. Of the vulnerabilities you've highlighted, I can probably do the following - freetype libvorbis libxslt libpng and from those that came up later in the thread, I can probably do poppler, and perhaps fetchmail (I use it, but only on x86_64-64). Oh, and perl-5.8.8 : I've no idea where the LFS book is headed after the discussions about package management, and I was half expecting it to move to 5.10 (which has its own vulnerability), but in the meantime I should be able to pull the patch(es) from redhat-enterprise. I'm not sure about xorg-server - I'll defer to Dan on what we should be doing there. As to openssl, I'm very much "don't know" - I do my best to build _without_ static libraries for my own use, and in the past I've had problems trying to upgrade this on my x86_64-64 server, so I guess I'm not the right man for this. Which leaves Ruby (I wouldn't touch that with a barge-pole, but I note lwn.net highlighted problems with the upgrade - it broke rails), imlib (I may use icewm, but I don't need this obsolete library), and Mplayer. -ENO_INTEREST for those. I'll also be doing firefox, again. Possibly, there are similar sets of problems with seamonkey or even thunderbird, but I don't care about those. So, give me two or three days and I hope to fix most of these. But I do wonder whether we ought to have some additional comments in the book on security ? A regular distro updates its packages as vulnerabilities become known. We sometimes do this, more often we just upgrade to a newer version. The long gestation of 6.3 has been a bit unusual - a lot more backported fixes than usual. Perhaps we should be spelling out to our users that they need to monitor vulnerabilities for themselves ? Alternatively, perhaps we should just put a big warning "some of these packages have known vulnerabilities - too bad! " ? (like the 'nobody cared' messages from the kernel). ĸen -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
