Security Patches

masteq · #1 18th March 2004, 03:40 PM

What is the process for fixes coming into Fedora when something like this comes out:

http://news.com.com/2100-1002_3-5174...l?tag=nefd_top

Will this get automatically patched with yum or apt?

I guess the bigger question is: can we assume that yum or apt are applying the patches as appropriate for all new vulerabilities. Or are the vulerabilities just coming out of the Fedora community.

Please advise.

mike · #2 18th March 2004, 05:18 PM

Yun should get the updates (about a day slower) is you use the yum.conf from http://fedora.artoo.net/faq/.

Apt should works also, if you downloaded it from freshrpms or Dag.

Mike

Fedoran00bi · #3 22nd March 2004, 09:29 PM

I have a feeling this is a very unsecure distro of Linux.

Where using old kernel, outdated packages, the fedora updates are behind.

Bana · #4 24th March 2004, 02:07 AM

Umm, I don't really know where you are coming from but if you think that Fedora is an unstable OS then you can help turn the situation around by posting security patches and reports on bugzilla. Everyone can help in the community, I challenge you to.

Jman · #5 24th March 2004, 11:53 PM

Quote:

Originally posted by Fedoran00bi
How can we trust this OS?

How can you trust any OS?

Every new Fedora kernel comes with some fixes. It's lagging a couple minor versions behind http://kernel.org/ because of the testing and packaging.

I feel reasonably secure running Fedora. Whether or not I should is another matter.

mhelios · #6 25th March 2004, 03:17 AM

It's actually not lagging behind kernel.org in any regard. The RedHat kernel developers, mainly Dave Jones, backports all relevant features, updates and secuirty fixes into the 2.4.22 (in the case if FC1). Red Hat uses it's own naming conventions as do all distros and as such will not haver the same version numbers as the mainline.

If you have a look at the errata pages for Fedora's security fixes and say RHEL, Fedora's fixes are released usually within a day of the Enterprise Red Hat product. This is pretty good for a project Red Hat sponsors but not officially supports.

I get all my updates, security or other easily and quickly with the up2date panel applet. And all within the quickest timeframe available once the patch is completed.

Fedoran00bi · #7 25th March 2004, 03:52 AM

Quote:

Originally posted by Jman
How can you trust any OS?

Every new Fedora kernel comes with some fixes. It's lagging a couple minor versions behind http://kernel.org/ because of the testing and packaging.

I feel reasonably secure running Fedora. Whether or not I should is another matter.

Jman, ive seen a huge increase in linux insecurities, even more insecure then windows. Im just concered.. like the OpenSSL for example, it took fedora how long to put it in updates dir...a week? 2 weeks?, its been a while. Also see new apache out, and didnt see a new version in updates....

zoodayz · #8 27th March 2004, 06:46 PM

Count the updates for windows compared to Linux and Microsoft. Microsoft decides what and "IF IF IF" core software code they will patch and the IF is if it is a really bad thing to there software Like this thing keeps on sutting down my computer "win32" we will fix that. But you tell me when the Usa Fbi comes to Microsoft and forces Microsoft to put a open port in the software JUST FOR THE FBI. How secure is that? but go spend $25,000 yes twenty five thousand dollers for Microsoft software and yes they have some that cost that much and take a look at how many updates it has lots and lots and lots. As it goes for fedora running a little behind thats also a good thing. We come out with this update and oops we should have not done that so lets update again to fix it but joe on the other end is running the newest of updates and is now vulnerable. ZoodayZ......

Fedoran00bi · #9 27th March 2004, 07:41 PM

Quote:

Originally posted by zoodayz
But you tell me when the Usa Fbi comes to Microsoft and forces Microsoft to put a open port in the software JUST FOR THE FBI. How secure is that?

There is over 65 thousand ports on a microsoft OS, you tell me which port the FBI forced microsoft to open.

Also, if anyone here knows about security, you gotta patch. If you dont patch, holes will be open, and if someone drops a kernel level rootkit on your Linux box, I dont think your gonna be too happy. Especially if the Linux box is in production.

Im just saying, fedora needs to throw the updated patches alittle faster on there update DIR, after the vendor releases it.

Apache 2.0.49 update is out, is it on the fedora update site yet?

I dont think so.

Im not kocking linux or fedora, Im just saying I dont wanna have to wait weeks to get an updated package.
The day the vendor releases it, is the day it should be available for us to download and install it.

Ez.