[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [FLSA-2006:195418] Updated sendmail packages fix security issue


On Mon, 30 Oct 2006, David Eisenstein wrote:

Lawrence Houston wrote:
Subject: Re: [FLSA-2006:195418] Updated sendmail packages fix security issue
From: Lawrence Houston <legacy -AT- greenfield.dyndns.org>
Date: Sun, 29 Oct 2006 09:34:17 -0500 (EST)
To: fedora-legacy-announce redhat com
On Sun, 29 Oct 2006, Lawrence Houston wrote:

On Sun, 29 Oct 2006, fedora-legacy-announce redhat com wrote:

Red Hat Linux 7.3:


For the Red Hat 7.3 Distribution the above updates can also be found
within the "updates-testing" Area:



Which means the final release of these updates will NOT be available
by YUM until the comments around the "updates-testing" section of
yum.conf have been removed!!!  My understanding is this should NOT be
required since the same updates should NOT appear in both areas???

A similar pattern repeats for the Red Hat 9 Distribution...  Secondly I
failed to notice the leading '0' on the Major Release Number such that
removing the comments around the "updates-testing" sections still will
NOT allow the July 27th Sendmail Updates to be applied...  The net
effect being the July 27th Update are being "held back", either on
purpose or because of an over-sight???

Lawrence Houston  --  (legacy greenfield dyndns org)

I think there is something wrong with the header files that yum depends on to
do updates.  Perhaps our 'push-to-update' scripts did not generate them cor-
rectly, or they may not have been pushed correctly from the build server to
download.fedoralegacy.org.  We're looking into that.

Are messages you see that display the URL that have 'sendmail-*0-*.i386.rpm' being
generated by the yum program?  No such URL's were included in the Fedora Legacy
Security Advisory FLSA-2006:195418, so I was wondering where you saw them.

After I uncommented the "updates-testing" section witin yum.conf YUM complains about the MD5 Signatures failing, which was before I noticed the headers within "updates-testing" following that "strange" pattern with that leading "0-" on their version numbers:

Error: MD5 Signature check failed for /var/cache/yum/updates-testing/packages/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm

The above RPM within my YUM Cache Tree is a very small HTML "like" File containing a message about the RPM not existing within "updates-testing":

The requested URL /redhat/7.3/updates-testing/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm was not found on this server.

Which is in keeping with your observations that the RPMs do NOT actually exist within "updates-testing", with an apparent error in the Header Generation... Also the above error messages do NOT include the leading "0-" within the "displayed" version numbers, those I see by Browsing the Headers on Legacy's Web Site within the "updates-testing" tree... You are correct I did NOT see those RPMs within "update-testing" on Legacy's Web Site!!!

NOTE: with "updates-testing" commented out of yum.conf, YUM is still fails to detect the July 27th SENDMAIL Updates within "updates" (which should be installed)??? YUM claims there are NO Packages are available for Update, which is NOT True since the July 27th SENDMAIL Updates should applied!!!

In the meantime, if you wish to update these files manually, you can download
them with wget or a web browser using the URLs given in the Advisory message.  You
can then use the 'rpm -U' command (as user root) to update the sendmail packages.
That will do the same thing that yum should have done.

Lawrence Houston  --  (legacy greenfield dyndns org)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]