Sendmail Vulnerability: critical
Matt Kettler
mkettler at evi-inc.com
Thu Mar 23 23:20:18 GMT 2006
Paul Welsh wrote:
> I'm in the same position, Dave. My current (but soon to be replaced) server
> is running RH9. I just installed the legacy yum (thanks Matt Kettler for
> pointing this out) but on running yum update I find I've a list of 85
> updates which I'm loathe to install on a live server unless they're
> absolutely critical - see http://www.secondarymail.net/updates.txt for the
> list yum presented to me.
>
> I reckon my best option is to wait for the updated Sendmail to be put on
> http://download.fedoralegacy.org/redhat/9/updates/i386/ and use the "yum
> install <packagename>" option to install just the updated Sendmail.
>
> Does that make sense?
Yes, but you really should consider as many of those updates as possible. AFAIK
Fedora legacy *ONLY* issues critical updates for RH9, nearly all of which are
security related.
The only non-security one I know of is the latest glibc package (released today)
appears to be adjustments for new daylight savings time rules for countries
where DST rules have changed or are going to change soon:
http://www.redhat.com/archives/fedora-legacy-list/2006-March/msg00172.html
My general policy on updates is:
1) make sure update is a security update on
http://fedoralegacy.org/updates/RH9/
2) Find out if I'm actually using the affected package. If I am not using it, I
try to uninstall it with rpm -e, and I'll cascade along deps and uninstall any
deps that I'm not using either in an effort to just remove the affected package.
3) If I find that I am using the package, or a package that I am using depends
on it, and it's a security update, I apply it.
I'm currently running with all the updates applied (including the non-critical
glibc one), with no troubles.
More information about the MailScanner
mailing list