Why is RPM not very useful? Please be aware that the version numbers from Red Hat may be a bit confusing because Red Hat does not upgrade versions with these security updates. Instead they backport security patches without bumping up the version number, so it may not be clear at first glance if you are protected or not.
For example my Red Hat 7.3 system has openssl-0.9.6b-28. (Use "rpm -qi openssl" to query the information) According to the advisory I'm at risk, however I know I applied the official security update from Red Hat back in July. I can confirm this with rpm -q openssl --changelog |less Why did you not use Red Hat's automatic updating feature? First thing you should do after you install Red Hat is subscribe to Red Hat Network and Entitle your system. Nobody has any excuse because everyone has one free Entitlement with RHN. Entitlement gives you the following convenient features: * They e-mail you whenever there is a security or bugfix update available for your system. * You can login to your RHN account at http://rhn.redhat.com and see at a glance which of your systems need what updates. You can optionally apply updates from this web based interface. * Optionally you can use the up2date client in the entitled system. The GUI up2date client is called "Update Agent" in your System menu, and it is as easy as point and click. * The command line up2date client is very simple. The following basic commands can be used: up2date -u Update all packages that need updating except potentially disruptive packages. up2date -uf Force an update of everything. May take some manual intervention (like rebooting) afterward in order to complete or fix minor configuration files. This is usually recommended because it doesn't often break things, and it will fully upgrade your system. Below is what it looks like when I typed "up2date -uf" to upgrade my kernel on my home firewall. All automatic! (Note that kernel updates install another kernel rather than remove the old kernel. This allows you to boot into the new kernel for testing in the GRUB menu. If the new kernel proves to be stable, you can remove the old kernel with another rpm command.) [EMAIL PROTECTED] root]# up2date -uf Retrieving list of all available packages... ######################################## Removing installed packages from list of updates... ######################################## Removing packages marked to skip from list... ######################################## Getting headers for skipped packages... ######################################## The following Packages were marked to be skipped by your configuration: Name Version Rel Reason ------------------------------------------------------------------------------- kernel 2.4.18 10 Pkg name/pattern None of the packages you requested were found, or they are already updated. [EMAIL PROTECTED] root]# up2date -uf Retrieving list of all available packages... ######################################## Removing installed packages from list of updates... ######################################## Getting headers for available packages... ######################################## Removing packages with files marked to skip from list... ######################################## Testing package set / solving RPM inter-dependencies... ######################################## Retrieving selected packages... kernel-2.4.18-10.i686.rpm: ########################## Done. Preparing... ########################################### [100%] 1:kernel ########################################### [100%] up2date is also nice for installing additional official software. For example if you want to use emacs but it isn't installed, simply type "up2date emacs" and it will automatically download and install it for you. Most major distributions of Linux have some sort of automatic updating facility. If you're pissed off about the need for payment to Red Hat Network for additional entitlements, then consider using Mandrake or Debian instead which has free updates (though perhaps only 95% reliable rather than 99.99% reliable because it depends on 3rd party sources). You can alternatively install apt-rpm on Red Hat which allows it to use an APT enabled mirror (Videl is not APT enabled though I am considering it.) for automatic updating. I personally don't bother with the free alternatives up2date because $5 a month per machine is a small price for me to pay for my time. I just let Red Hat handle keep track of the security updates and send me e-mail notices. I can be fairly confident that Red Hat's update packages will download reliably and have gone through extensive QA, unlike similar update packages from Mandrake. It is cheap and just works. I never buy boxed sets of Red Hat, so this is my way of giving thanks to the company. Red Hat is unique in that it isn't free for multiple systems and it downloads only directly from Red Hat, although you can run your own up2date server called "Current" within your own organization if you want. (Red Hat doesn't support it and doesn't approve of it, but too bad, you can do whatever the heck you want with Open Source Software.) Here are a few of the automatic updating tools in different Linux distributions. Red Hat CLI: up2date GUI: "Update Agent" Mandrake CLI: urpmi GUI: rpmdrake Debian CLI: apt-get Gentoo emerge Conectiva Hmm... something like rpm-get or apt-rpm http://rhn.redhat.com Please read the documentation on the Red Hat Network site and you'll understand quickly. Protect your systems with an Entitlement and it will be easy to keep your system patched. The OpenSSL vulnerability was fixed back in July, and you would have received an automated notice from Red Hat if you were subscribed to Red Hat Network.