On Tue, 31 Dec 2002, grenoml wrote: > There are some security holes with the version of Apache webserver > (httpd-2.0.40) that ships with RedHat 8.0. There are also security > holes with regard to the RH8 OpenSSL version 0.96b (need 0.96h or > later to plug them). There are also issues with Apache mod_jk2 > versions that are only compatible with httpd-2.0.42 or .43. > I ran up2date but there are only the same versions of these > applications available.
Hmm, seems like a few things are more appropiate for the psyche-list but okay - this has been brought up many times before: what Red Hat does with many applications is the backporting of patches while remaining the old major version number, and changing the release version. What you see with e.g. OpenSSL is indeed a secure version with most or even all of the patches up to 0.9.6g (or even h) but backported to the 0.9.6b (the how's en why's are out of my scope, but maybe reading the changelogs of both OpenSSL source and the OpenSSL RedHat RPM's clears this up). > I would like to upgrade to at least OpenSSL 0.96h and Apache > httpd-2.0.43 on my RH8 system to close these security holes and to > take advantage of mod_jk2 improvements. How can I do this and still > retain the proper package dependencies in the RPM database? If you want to stay with the RPM packaging system maybe building your own packages would be the solution in this case. The easiest would be to get a current working source RPM for the application, get the source of the version you want and edit the specfile to new situation. > When I do a rpm -q --whatrequires on openssl I see a number of > packages. If I just download the source for a newer version of openssl > and build it how do I install it and not mess things up in the RPM > world? I myself treat OpenSSL a bit differently: on machines where I build Apache from source I install the newest version from source in /usr/local, while retaining Red Hat's version via RPM. -- Riemer Palstra // [EMAIL PROTECTED] // http://palstra.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
