I first got first word of the OpenSSH vulnerability via Barry’s mention of it. I updated my FreeBSD machines quite quickly thanks to their excellent security team.
When it came to RedHat, of course, it was a mess.
RedHat has stopped maintaining older versions of their distributions, they seem to think customers can afford to redeploy all machines every 6 months – which means a full reinstall due to their flawed upgrade procedure.
So I had to backport, I got the latest SRPM from the RedHat 9 advisory and tried to build it, after installing all the needed -devel RPMs it still failed. On further investigation I found that the PAM package as supplied by RedHat has changed. The initial package that came with my version of RedHat included the header files in the normal PAM package. Later on they provided a security fix for PAM and this did not include the header files, instead it builds a -devel package. Furthermore they did not supply the -devel RPM as part of the later update.
There were absolutely no indication of this requirement in the actual RPM, its ‘requires’ lists did not include pam-devel at all.
To get around this I had to rebuild PAM with the appropriate options to produce a -devel RPM (It does not do so by default) and proceeded from there. Once I got around this it was smooth sailing and I now have a nice up to date RPM package for my ancient RedHat.
This is not the first time RedHat has done something incredibly stupid as this, the recent IPTables update did something similar by all of a sudden having more requirements to install than the version it replaces and so I had to go and find what it required manually – effectively breaking my automated updates tracking.
RedHat is just not ready for use in the real world.
On a lighter side I noticed this really funny yet appropriate posting on BugTraq.
Related Links:
My previous experiences with RPM
