Re: RHSA-2005:472-05 (kernel security update) not required for all?

[Stephen Gardner <stephen-rhel uk org>]

On Thu, 26 May 2005, Ben wrote:

> On Thu, 26 May 2005, Stephen Gardner wrote:
>
> >  On Thu, 26 May 2005, Ben wrote:
> >
> > >  [...]
> > >  According to my own records and RHN, all of my machines (WS and AS) are 
> > >  running kernel 2.4.21-32.EL, many (WS and AS) are running 
> > >  2.4.21-32.ELsmp. One AS machine has 4GB of RAM, the remainder have 
> > >  between 512MB and 2GB of RAM.
> > > 
> > >  All (bar one) were kickstarted from RHEL3 u4 kickstart points and have 
> > >  been through the 2.4.21-27.0.2.EL -> 2.4.21-27.0.4.EL -> 2.4.21-32.EL 
> > >  kernel upgrade path.  All are fully up to date with regard to up2date 
> > >  and the RHN. None of these machines apparently require that 
> > >  RHSA-2005:472-05 be applied.
> > > 
> > >  The remaining one AS machine was kickstarted very recently from a RHEL3 
> > >  u5 kickstart point directly to kernel 2.4.21-32.ELsmp.  Only this 
> > >  machine is listed in RHN as requiring the upgrade to 2.4.21-32.0.1.EL 
> > >  (the above RHSA-2005:472-05).  There's an additional RHSA-2005:413-04 
> > >  regarding ImageMagick which also only seems to apply to this machine and 
> > >  none of the others but I'm not so concerned about that.
> > > 
> > >  This single machine was kickstarted in an identical manner (other than 
> > >  using a u5 rather than a u4 kickstart set) to another machine, runs on 
> > >  identical hardware and has all the same RPMs on.  That other machine 
> > >  doesn't require either errata.  I don't get it.
> > > 
> > >  Does anyone know what's going on?
> >
> >  As a matter of interest on the machines that RHN says does not require
> >  RHSA-2005:472-05, what's in /etc/redhat-release?
>
> Red Hat Enterprise Linux AS release 3 (Taroon Update 5)
>
> On every single machine.  I checked them all.
>
>
> >  From what I've seen a machine that has a "Update 5" redhat-release package
> >  but does not have the latest kernel shows up in RHN as requiring that
> >  update.
>
> All but one machine with the above redhat-release is listed on RHN with
>
> Kernel: 2.4.21-32.EL(smp in some cases)
>
> So I don't think that holds true in my case.
>
>
> >  A machine running U4 does not show up as requiring RHSA-2005:472-05 (in
> >  RHN) but the package will be listed as a new kernel package in up2date.
>
> All my machines are running complete U5 update sets.  The only difference 
> between them and the one apparently requiring RHSA-2005:472-05 is that it was 
> built as a U5 box, rather than having gone U4->U5 after install.
>
>
> >  If I'm following this correctly RHSA-2005:472-05 is a U5 Errata update
> >  which shows up in RHN for U5 systems.
>
> Which, according to redhat-release _all_ of my machine are (-:
>
>
> >  Additionally it's an available package update for U4 machines which won't
> >  show up in RHN until redhat-release is upgraded.
>
> I don't quite parse your meaning here.
>
>
> >  From what I can tell RHN is checking the redhat-release as a baseline,
> >  currently if you're U5 you need RHSA-2005:472-05, if you're U4 you can
> >  upgrade the kernel package to 2.4.21-32.0.1.EL. Both are the same thing
> >  viewed from different perspectives by RHN and up2date.
>
> OK, but this still doesn't make sense given that _all_ of my boxes are 
> running 2.4.21-32.ELsmp and have U5 in their redhat-release...
>
> ... Tell a lie, I have one box that is still on kernel 2.4.21-27.0.2.EL 
> (although all U5 RPMs have been installed so redhat-release says U5).  It 
> hasn't been rebooted to use 2.4.21-32.EL yet.  Surely it should therefore be 
> flagged for 2.4.21-32.0.1.EL?  It isn't.
>
> I'm confused.

Ben,
  Interesting. I see a slightly different (and at least consistent with my 
original theory) picture here. Naturally I'll defer to what Jay Turner 
mentioned about the RHN Errata cache turn around time. All I know is what 
I saw in that

- no U4 machines show up in RHN as needing  RHSA-2005:472-05
- all U4 machines show the 2.4.21-32.0.1.EL package available via up2date
- Machines that have the entire U5 suite except the new kernel package
  show up as requiring RHSA-2005:472-05 in RHN and (finally)
- a machine which went from U4->U5 minus the kernel update showed up as
  requiring RHSA-2005:472-05 within 1 minute in RHN.

  As a quick double confirmation for myself I got a U4 machine and used 
up2date to just update the redhat-release package. Before the machine did 
not show up in RHN as requiring RHSA-2005:472-05, afterwards (within 15 
seconds, I hit refresh on the RHN page just after the up2date install 
finished) it did. So in my case the status of the RHN RHSA-2005:472-05 
errata listing was determined by the presence of the U5 redhat-release 
package. I know that doesn't help here to explain what you're seeing Ben 
but I wanted to illustrate the linkage I'm seeing

  I concur that a machine with -32 installed should be flagged as needing 
-32.0.1 regardless of whether the kernel is running or not as up2date is 
rpmdb driven.

  Based on what Jay said it sounds like time is a big factor here. When 
the RHN errata cache catches up all RHEL3 systems will be listed a needing 
RHSA-2005:472-05.

Regards,
  Stephen

PS. I don't think it's relevant but my (x86) redhat-release package is
redhat-release-3AS-13.5.1. Naturally RHN doesn't use the contents of 
/etc/redhat-release  it uses the package release version.. could be a 
factor.