Re: [expert] I Hate RPM's!!
Thanks Vincent for all the education. I knew that was the best way to get the info out of someone This was all done on a a test system.so nothing is really lost so far. It makes perfect sense from your explanation that the RPM's I was trying to install are for RH. In the future, how does one make rpm's for mandrake then? Say, I want "openssl version" to show me 0.9.7b so that i dont get flagged by some scanners looking at responses version command? I was trying to update openssl to stop myself from getting "flagged" for having a vulnerable system based on a version # only. [eg. sendmail 8.12.6 is patched on Mandrake, BUT, i had to upgrade for 8.12.9 for the same reason!, since scanners would flag 8.12.6 as vulnerable]. Also, after changing the links in /usr/lib to point to newer /usr/lib/libcrypto.so.0.9.7, then ran ldconfig, it did reset them to original config! (ie. pointing back to 0.9.6). Can you educate me on that too? Readin "man ldconfig" has not shaded a light yet! Good thing i have not touched any actual hosts being used. BUT, how then can I ran openssl-0.9.7b on the them (using rpm)? _Thanks much Richard --- Vincent Danen <[EMAIL PROTECTED]> wrote: > On Tue Jul 29, 2003 at 10:54:20AM -0700, Tru64 User > wrote: > > > i checked my openssl, it was version 0.9.6x > > (vulnerable) > > MandrakeUpdate, does not offer its upgrade via > > security updates. > > What vulnerability are you thinking of, > specifically? Is it this one: > > http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035 > > AFAIK, there is 0.9.6x version of OpenSSL. Also > keep in mind that we do not > usually upgrade OpenSSL, but rather patch it so your > version may not be > vulnerable, although I am interested in knowing what > vulnerability you are referring to. > > > OK. So? Download openssl-0.9.7b (No rpm available) > > OK. Make one of my own (rpm -tb .tar.gz), > Fine. > > That's not a mandrake spec that is included in the > tar.gz. It is probably > not properly "libified" and rather uses RH's style > of packaging. > = __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] I Hate RPM's!!
Richard, Do you know something about urpmi? Is a Mandrake feature, you can add several internet servers as rpm sources (urpmi.addmedia) and install lots of packages (in rpm format) just writing "urpmi ". I have added the textar, plf and contribs sources, and I have forgotten the rpm dependences problems. Regards -- Francisco Alcaraz Ariza Murcia, España (Spain) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] I Hate RPM's!!
On Tue Jul 29, 2003 at 10:54:20AM -0700, Tru64 User wrote: > i checked my openssl, it was version 0.9.6x > (vulnerable) > MandrakeUpdate, does not offer its upgrade via > security updates. What vulnerability are you thinking of, specifically? Is it this one: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035 AFAIK, there is 0.9.6x version of OpenSSL. Also keep in mind that we do not usually upgrade OpenSSL, but rather patch it so your version may not be vulnerable, although I am interested in knowing what vulnerability you are referring to. > OK. So? Download openssl-0.9.7b (No rpm available) > OK. Make one of my own (rpm -tb .tar.gz), Fine. That's not a mandrake spec that is included in the tar.gz. It is probably not properly "libified" and rather uses RH's style of packaging. > Try installing (complains about conflicting stuff!) > rpm -e openssl-0.9.6* ;libopenssl0-0.9.6i-1.4mdk is > needed by a bunch of stuff. > So, I used rpm -i --force openssl-0.9.7b-. This is already bad news. You've pretty much borked your system yourself by doing this. OpenSSL 0.9.6 and OpenSSL 0.9.7 are *not* compatible. Ahh... I see you have 0.9.6i and not 0.9.6x... so you are running either 9.0 or 8.2. The version is also the latest update that is out. So either there is a new vulnerability for openssl that we are not aware of, or you hosed your system for nothing (ie. that version of openssl is patched). Taking a quick trip to www.openssl.org... Ok, I see that 0.9.6j is out, but the openssl page says nothing about security fixes, just bugfixes. Unfortunately, the changelog on the site is kinda messed, so I'm downloading 0.9.6j to read the changelog. Aaargh... I should have saved myself the effort. 0.9.6j was released April 10th to fix those things we patched in March, using patches the openssl team provided. In other words, you borked your system for absolutely nothing. > OK, Good. But libopenssl0-0.9.6i-1.4mdk was not > overwritten! So? manually adjusted link for > libssl.so.0 to point to libssl.so.0.9.7 instead of > libssl.so.0.9.6, and likewise for libcrypto.so.0 > > OK. Good. Openssl upgraded. Not good. Very very bad. > #ssh otherhost; > OpenSSL version mismatch. Built against 90607f, you > have 90702f > > Arrrggg.i will have to built my own ssh then, Of course. You changed OpenSSL. OpenSSH must be built against the version of openssl on your system... which is why we *patch* OpenSSL instead of using the latest and greatest. > no rpm for 3.6p1 available. Try building my own: > rpm -tb openssh-3.6p1.tar.gz > error: x11-askpass missing. Again, not a mandrake spec. > Duh!! Downloaded that from some site: > one more try: error: failed build dependencies: > XFree86-imake is needed by openssh-3.6p1-2 > > Can't locate XFree86-imake rpm!! You wouldn't. That's a Red Hat thing based on a Red Hat spec. > Gave up making openssh rpm, I will perform manual > install: > ./configure --with-tcp-wrapper > Error; libwrap not found (I have tcp-wrapper rpm > installed though!!) Do you have tcp_wrappers-devel installed? That's probably what you need. > Google for libwrap library, found an rpm for it: > rpm -ivh libwrap-7.6.30.i386.rpm ; Error:error: failed > dependencies: > tcp_wrappers < 7.6-28 conflicts with libwrap-7.6-30 > > So, now I have to uninstall tcp_wrappers to install > libwrap > (If you are still reading, do you even remember the > original problem?) Good grief man, you're trying to install a Red Hat rpm here too! What would possibly possess you to do that? > Why are things this complicated Because a) you made a silly assumption without verifying it, b) you're mixing and matching stuff from all over the place (ie. RH rpms), c) you're trying to use a version of openssl that nothing is built against (you'd have to rebuild a lot more than just openssh IIRC). If you would have bothered to find out just what you thought you were vulnerable to, asked here or on the discuss@ list prior to jumping on your journey of system-self-destruction, you would have been told (probably rather quickly) that the version of openssl you had originally installed was perfectly fine and *not* vulnerable. Resources such as MandrakeSecure (the website, discussion mailing lists, etc.) exist so people don't have to do things like this or, if they feel they need to, can at least be informed prior to doing it. I'm sorry to say that you made this complicated mess for absolutely no gain. =( -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} pgp0.pgp Description: PGP signature
Re: [expert] I Hate RPM's!!
On Tue, 2003-07-29 at 10:54, Tru64 User wrote: > Hi, > > i checked my openssl, it was version 0.9.6x > (vulnerable) > MandrakeUpdate, does not offer its upgrade via > security updates. > > OK. So? Download openssl-0.9.7b (No rpm available) > OK. Make one of my own (rpm -tb .tar.gz), Fine. > > Try installing (complains about conflicting stuff!) > rpm -e openssl-0.9.6* ;libopenssl0-0.9.6i-1.4mdk is > needed by a bunch of stuff. > So, I used rpm -i --force openssl-0.9.7b-. > > OK, Good. But libopenssl0-0.9.6i-1.4mdk was not > overwritten! So? manually adjusted link for > libssl.so.0 to point to libssl.so.0.9.7 instead of > libssl.so.0.9.6, and likewise for libcrypto.so.0 > > OK. Good. Openssl upgraded. > > #ssh otherhost; > OpenSSL version mismatch. Built against 90607f, you > have 90702f > > Arrrggg.i will have to built my own ssh then, > no rpm for 3.6p1 available. Try building my own: > rpm -tb openssh-3.6p1.tar.gz > error: x11-askpass missing. > > Duh!! Downloaded that from some site: > one more try: error: failed build dependencies: > XFree86-imake is needed by openssh-3.6p1-2 > > Can't locate XFree86-imake rpm!! > Gave up making openssh rpm, I will perform manual > install: > ./configure --with-tcp-wrapper > Error; libwrap not found (I have tcp-wrapper rpm > installed though!!) > Google for libwrap library, found an rpm for it: > rpm -ivh libwrap-7.6.30.i386.rpm ; Error:error: failed > dependencies: > tcp_wrappers < 7.6-28 conflicts with libwrap-7.6-30 > > So, now I have to uninstall tcp_wrappers to install > libwrap > (If you are still reading, do you even remember the > original problem?) > > Why are things this complicated > > _Thanks > > Richard > The problem comes with exactly what you are running into. But you are yelling at the messenger not the sender. The problem isn't rpm but rather openssh. When openssh people fix a "bug" they don't have to worry about dependency on anything but openssh. MDK, or for that matter RH SuSE etc etc etc, have to worry about all of the applications built against the previous version as well. So what Vincent does (or the package maintainer.) is to look at the changes from the version with the bug to the version with the fix. Weed out all of the "new features" that have nothing to do with the bug and that will/might break other application built against this libpackage (both in building new apps, and in running installed apps.) then package it and release it as a new build. Not necessarily with the new version name and number, because it might not be the complete new version but it is new in that it contains the needed security/bug fix so that your computer is less vulnerable to the black hats of the world. Sometimes this will hold true even from one point release to the other. Because some libs. (take for an extreme example glibc) are so pervasive that they require massive application rebuilds and spec file re-thinks. This isn't pretty. (Which IMHO is why .0 release are often the buggiest of the lot.) The solution is ... use the update rpms. They are the ones that contain the security fixes. Read the MDK errata for your release. http://www.mandrakelinux.com/en/errata.php3 Read the security notices for your release. http://www.mandrakesecure.net/en/advisories/ And check there to be sure that you really do need the update you are trying to do. It may actually already be on your box or in the version in updates. Last thing you could do is to ask here if a == b? If you find something that Vincent or the maintainer of the package has possibly missed. I know they are willing to listen and take action. This has been proven over and over again. (case in point, build 24mdk of the kernel had barely made it to the mirrors when on of the users here found a serious security hole, Within 24 hours a new kernel release fixing the holes had been completed, checked and mirrored. That's moving.) When you get down to lib level often you will be faced with a choice. Trust the security updates. Turn your into MDK-From-Scratch (as opposed to Linux-from-Scratch) or ask Vincent et al. BTW the build version in 9.1 and the update in < 9.0 contains the security fix and does do privilege separation. Which I'm guessing is why you wanted 3.6 Also... 3.6 for Linux is still pretty alpha-ish. (according to some of the openbsd guys I know.) However alpha for those guys is release for M$. Remember there is a reason the word "Bleeding" is used in reference to being just beyond the cutting edge. James Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] I Hate RPM's!!
RPM is not your problem here. The warning messages you are getting are from OpenSSL. The OpenSSL API changes between version. It is trying to verify that the version you linked against is the version you are actually calling. (There are some very good reasons to do this.) Upgrading OpenSSL by hand is not for the timid. And now a real reason to hate RPM. (This is fixable BTW.) If you use "--whatrequires" to find all the things that OpenSSL is supposed to link against, you will get a small handful of the actual dependancies. If you use "-e", you will get a complete list. (If the library is not listed in the spec file, the autodependancy will pick it up, but only the library name, not the correct package.) And then there is the bug in "obsoletes"... On Tue, 29 Jul 2003, Tru64 User wrote: > Hi, > > i checked my openssl, it was version 0.9.6x > (vulnerable) > MandrakeUpdate, does not offer its upgrade via > security updates. > > OK. So? Download openssl-0.9.7b (No rpm available) > OK. Make one of my own (rpm -tb .tar.gz), Fine. > > Try installing (complains about conflicting stuff!) > rpm -e openssl-0.9.6* ;libopenssl0-0.9.6i-1.4mdk is > needed by a bunch of stuff. > So, I used rpm -i --force openssl-0.9.7b-. > > OK, Good. But libopenssl0-0.9.6i-1.4mdk was not > overwritten! So? manually adjusted link for > libssl.so.0 to point to libssl.so.0.9.7 instead of > libssl.so.0.9.6, and likewise for libcrypto.so.0 > > OK. Good. Openssl upgraded. > > #ssh otherhost; > OpenSSL version mismatch. Built against 90607f, you > have 90702f > > Arrrggg.i will have to built my own ssh then, > no rpm for 3.6p1 available. Try building my own: > rpm -tb openssh-3.6p1.tar.gz > error: x11-askpass missing. > > Duh!! Downloaded that from some site: > one more try: error: failed build dependencies: > XFree86-imake is needed by openssh-3.6p1-2 > > Can't locate XFree86-imake rpm!! > Gave up making openssh rpm, I will perform manual > install: > ./configure --with-tcp-wrapper > Error; libwrap not found (I have tcp-wrapper rpm > installed though!!) > Google for libwrap library, found an rpm for it: > rpm -ivh libwrap-7.6.30.i386.rpm ; Error:error: failed > dependencies: > tcp_wrappers < 7.6-28 conflicts with libwrap-7.6-30 > > So, now I have to uninstall tcp_wrappers to install > libwrap > (If you are still reading, do you even remember the > original problem?) > > Why are things this complicated > > _Thanks > > Richard > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] I Hate RPM's!!
On Tue, 2003-07-29 at 13:54, Tru64 User wrote: > So, now I have to uninstall tcp_wrappers to install > libwrap > (If you are still reading, do you even remember the > original problem?) > > Why are things this complicated > > _Thanks > > Richard > You have to understand that everything in an Elf based system affects almost everything else. Look up a program called Rpmgraph on freshmeat.net or google and you will begin to understand what I mean. An rpm system takes into account that the entire distro is a system that is balanced on itself. Some items are more critical to that balance than others; glibc is a good example since nearly everything that's not statically compiled depends on glibc. A glibc foobar will hose the whole system. You can't really understand the importance of a dependency based distro until you either study the intricacies and implications of an rpmgraph in detail or else you run a non-dependency based distro for a few years and deal with the breakage there. I promise you that no matter how bad you think your troubles are now, they are as nothing compared to when a major break occurs in a non-dependency based distro. Like Slackware, for instance. Slackware, like any other elf type distro, is a system that's balanced on itself. That balance can easily be thrown out of whack with the installation of a tar.gz that unilaterally installs itself without regard to the consequences. The main difference between dependency and non-dependency is that the rpm's weigh the consequences of what they are about to do, and in so doing force you to do the same. What they cannot do is give you the experience of running a non-dependency distro. --LX -- °°° Linux Mandrake 9.1 Kernel 2.4.21-0.13mdk "Filter That, Beach!" --Lanman, MDK Newbie List Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] I Hate RPM's!!
On September 1993 plus 3618 days [EMAIL PROTECTED] wrote: > Why are things this complicated Because you aren't reading the security advisories sent by mandrake. Vincent and the rest of the secteam backport the security patches to the version that came out with whichever release of mandrake that has a vulnerability, instead of just upgrading to the latest stable/secure version of the packages. If you use MandrakeUpdate to update your box, and it tells you there are no security updates, it's because you are on the latest patched version of the packages. This is done so you don't have to download a bunch of packages that have no problems just because they were compiled against the version that the distro was released with. So...you went through all of this without cause or reason. Vox -- Think of the Linux community as a niche economy isolated by its beliefs. Kind of like the Amish, except that our religion requires us to use _higher_ technology than everyone else. -- Donald B. Marti Jr. pgp0.pgp Description: PGP signature
[expert] I Hate RPM's!!
Hi, i checked my openssl, it was version 0.9.6x (vulnerable) MandrakeUpdate, does not offer its upgrade via security updates. OK. So? Download openssl-0.9.7b (No rpm available) OK. Make one of my own (rpm -tb .tar.gz), Fine. Try installing (complains about conflicting stuff!) rpm -e openssl-0.9.6* ;libopenssl0-0.9.6i-1.4mdk is needed by a bunch of stuff. So, I used rpm -i --force openssl-0.9.7b-. OK, Good. But libopenssl0-0.9.6i-1.4mdk was not overwritten! So? manually adjusted link for libssl.so.0 to point to libssl.so.0.9.7 instead of libssl.so.0.9.6, and likewise for libcrypto.so.0 OK. Good. Openssl upgraded. #ssh otherhost; OpenSSL version mismatch. Built against 90607f, you have 90702f Arrrggg.i will have to built my own ssh then, no rpm for 3.6p1 available. Try building my own: rpm -tb openssh-3.6p1.tar.gz error: x11-askpass missing. Duh!! Downloaded that from some site: one more try: error: failed build dependencies: XFree86-imake is needed by openssh-3.6p1-2 Can't locate XFree86-imake rpm!! Gave up making openssh rpm, I will perform manual install: ./configure --with-tcp-wrapper Error; libwrap not found (I have tcp-wrapper rpm installed though!!) Google for libwrap library, found an rpm for it: rpm -ivh libwrap-7.6.30.i386.rpm ; Error:error: failed dependencies: tcp_wrappers < 7.6-28 conflicts with libwrap-7.6-30 So, now I have to uninstall tcp_wrappers to install libwrap (If you are still reading, do you even remember the original problem?) Why are things this complicated _Thanks Richard __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com