Re: RHSA-2005:472-05 (kernel security update) not required for all?

[Ben <bda20 cam ac uk>]

On Thu, 26 May 2005, Stephen Gardner wrote:

> On Thu, 26 May 2005, Ben wrote:
>
> > [...]
> > According to my own records and RHN, all of my machines (WS and AS) are 
> > running kernel 2.4.21-32.EL, many (WS and AS) are running 
> > 2.4.21-32.ELsmp. One AS machine has 4GB of RAM, the remainder have 
> > between 512MB and 2GB of RAM.
> >
> > All (bar one) were kickstarted from RHEL3 u4 kickstart points and have 
> > been through the 2.4.21-27.0.2.EL -> 2.4.21-27.0.4.EL -> 2.4.21-32.EL 
> > kernel upgrade path.  All are fully up to date with regard to up2date 
> > and the RHN. None of these machines apparently require that 
> > RHSA-2005:472-05 be applied.
> >
> > The remaining one AS machine was kickstarted very recently from a RHEL3 
> > u5 kickstart point directly to kernel 2.4.21-32.ELsmp.  Only this 
> > machine is listed in RHN as requiring the upgrade to 2.4.21-32.0.1.EL 
> > (the above RHSA-2005:472-05).  There's an additional RHSA-2005:413-04 
> > regarding ImageMagick which also only seems to apply to this machine and 
> > none of the others but I'm not so concerned about that.
> >
> > This single machine was kickstarted in an identical manner (other than 
> > using a u5 rather than a u4 kickstart set) to another machine, runs on 
> > identical hardware and has all the same RPMs on.  That other machine 
> > doesn't require either errata.  I don't get it.
> >
> > Does anyone know what's going on?
>
> As a matter of interest on the machines that RHN says does not require 
> RHSA-2005:472-05, what's in /etc/redhat-release?

Red Hat Enterprise Linux AS release 3 (Taroon Update 5)

On every single machine.  I checked them all.


> From what I've seen a machine that has a "Update 5" redhat-release 
> package but does not have the latest kernel shows up in RHN as requiring 
> that update.

All but one machine with the above redhat-release is listed on RHN with

Kernel: 2.4.21-32.EL(smp in some cases)

So I don't think that holds true in my case.


> A machine running U4 does not show up as requiring RHSA-2005:472-05 (in 
> RHN) but the package will be listed as a new kernel package in up2date.

All my machines are running complete U5 update sets.  The only difference 
between them and the one apparently requiring RHSA-2005:472-05 is that it 
was built as a U5 box, rather than having gone U4->U5 after install.


> If I'm following this correctly RHSA-2005:472-05 is a U5 Errata update 
> which shows up in RHN for U5 systems.

Which, according to redhat-release _all_ of my machine are (-:


> Additionally it's an available package update for U4 machines which won't 
> show up in RHN until redhat-release is upgraded.

I don't quite parse your meaning here.


> From what I can tell RHN is checking the redhat-release as a baseline, 
> currently if you're U5 you need RHSA-2005:472-05, if you're U4 you can 
> upgrade the kernel package to 2.4.21-32.0.1.EL. Both are the same thing 
> viewed from different perspectives by RHN and up2date.

OK, but this still doesn't make sense given that _all_ of my boxes are 
running 2.4.21-32.ELsmp and have U5 in their redhat-release...

... Tell a lie, I have one box that is still on kernel 2.4.21-27.0.2.EL 
(although all U5 RPMs have been installed so redhat-release says U5).  It 
hasn't been rebooted to use 2.4.21-32.EL yet.  Surely it should therefore 
be flagged for 2.4.21-32.0.1.EL?  It isn't.

I'm confused.

Ben
--
Unix Support, MISD, University of Cambridge, England
Plugger of wire, typer of keyboard, imparter of Clue
        Life Is Short.          It's All Good.