Questions about patch levels
Hello, Can anyone on this list refer me to a document that explains how SUSE patch version works? For instance we have a SLOX 4.1 mail server that is based in part on Suse Enterprise Server 8.0 and United Linux that is running apache-1.3.26-163. Now this is a very old version of apache but what is the 163 exactly? I need to know if this version is still vulnerable. How do I know what was fixed within this version, and for that matter earlier versions. This particular apache version 1.3.26 has a lot of problems. Our scanner is lighting up like a Christmas tree everytime it is scanned. It is fully patched but !!!!! Someone said the fix is back ported or something. What is backported mean. Why dont they just upgrade to the newer version with the fix? How do you know what fixed what? I need some help. Ive got a boss that is on me to get his figured out. Is there a document or a database that will tell me if a particular vulnerability has been patched and what version did it. Thanks Steve
steve nutt schreef:
For instance we have a SLOX 4.1 mail server that is based in part on Suse Enterprise Server 8.0 and United Linux that is running apache-1.3.26-163. Now this is a very old version of apache but what is the “163” exactly?
Nothing more than a serial number. Every time the 'apache-1.3.26' package is modified, the number goes up (not necessarily by one).
I need to know if this version is still vulnerable. How do I know what was fixed within this version, and for that matter earlier versions.
By using RPM: rpm -q --changelog apache-1.3.26 will tell you the history of this package.
Someone said the fix is back ported or something. What is backported mean.
It means that problems that a problem that is fixed in a later version, are fixed in a previous version. For example, 'apache-1.3.27' may fix some security problems in 'apache-1.3.26'. But it may also have new features or other things unrelated to security problems. Backporting means that the security fixes are included in the old version, but all other things are left like they are.
Why don’t they just upgrade to the newer version with the fix?
They usually don't, as other packages may depend on parts of that version. Upgrading to a new version will break those dependencies. Best regards, Arjen
participants (2)
-
Arjen de Korte -
steve nutt