RE: [RHSA-2001:078-05] Format string bug fixed

From: Mayers, Philip J (p.mayersat_private)
Date: Wed Jun 20 2001 - 06:14:36 PDT

Next message: Pablo Sor: "Solaris /opt/SUNWssp/bin/cb_reset Vulnerability"

Previous message: Damian Menscher: "Re: pmpost - another nice symlink follower"
Maybe in reply to: bugzillaat_private: "[RHSA-2001:078-05] Format string bug fixed"
Next in thread: storageat_private: "RE: [RHSA-2001:078-05] Format string bug fixed"
Reply: storageat_private: "RE: [RHSA-2001:078-05] Format string bug fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's great - but did you even *bother* to check if the update works on
RedHat 7.0?

[root@unix-software i386]# cat /etc/redhat-release
Red Hat Linux release 7.0 (Guinness)

[root@unix-software i386]# rpm -qp --requires exim-3.22-13.i386.rpm
<snip>
libcrypto.so.1
<snip>
libssl.so.1
<snip>

[root@unix-software i386]# rpm -qa --provides | egrep 'libssl|libcrypto'
libcrypto.so.0
libssl.so.0
libssl.so

[root@unix-software i386]# rpm -q openssl --provides
libcrypto.so.0
libssl.so.0
openssl = 0.9.5a-14

[root@unix-software i386]# rpm -Uvh exim-3.22-13.i386.rpm
error: failed dependencies:
        libcrypto.so.1   is needed by exim-3.22-13
        libssl.so.1   is needed by exim-3.22-13

*Wonderful* - you've shipped an update that no-one can apply, unless they
update their OpenSSL package (an update you don't provide). Doubtless you
built the RPM on RedHat 7.1, which has OpenSSL 0.9.6 and libcrypto.so.1

I like RedHat, but this is the third time you've done something like this in
recent months:

1) Splitting glibc into glibc-common and glibc, which meant that the glibc
update could not automatically be applied
2) Breaking the init script for the OpenSSH 2.5.2 release, which meant that
if anyone applied the update whilst logged in over SSH, the SSH daemon
restarted - this was because you switched to using the newer initscripts,
which had a function in them that the older ones didn't.
3) Now this, an (old, not even version 3.30) Exim update that won't apply!

Don't even get me started on the RPM4 update to 6.2, or the LDAP and crypto
libraries (which weren't a core part of the system when you shipped it, but
you made essential later on) - annoyingly enough, after making such sweeping
changes you didn't ship OpenSSH (although you already had OpenSSL) for 6.2.

You might take a lead from Debian's book, and exercise a little bit of
discipline when making your packages, rather than letting a random intern
ship updates to systems that people are using *in production*. Can I make a
suggestion - when developing patches for an operating system, try doing it
on the right version of the damn OS, rather than against RawHide, or
whatever it is you do...

Could you please re-issue this update, compiled on the right system this
time?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+

-----Original Message-----
From: bugzillaat_private [mailto:bugzillaat_private]
Sent: 19 June 2001 21:40
To: redhat-watch-listat_private
Cc: bugtraqat_private; linux-securityat_private;
securityat_private
Subject: [RHSA-2001:078-05] Format string bug fixed

<snip broken update report>

Next message: Pablo Sor: "Solaris /opt/SUNWssp/bin/cb_reset Vulnerability"
Previous message: Damian Menscher: "Re: pmpost - another nice symlink follower"
Maybe in reply to: bugzillaat_private: "[RHSA-2001:078-05] Format string bug fixed"
Next in thread: storageat_private: "RE: [RHSA-2001:078-05] Format string bug fixed"
Reply: storageat_private: "RE: [RHSA-2001:078-05] Format string bug fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 08:10:10 PDT