[luau] New Linux Worm Threatens Serious Denial Of Service Attacks Sept. 16, 2002

[Warren Togami]

On Tue, 2002-09-17 at 20:59, Ronnie T Livingston wrote:
> How would running these automatic updating tools affect your server if you
> installed apache, mod_ssl, open_ssl by hand and didn't use the default
> version that came with your distribution??
> 
> -Ronnie
> 

If you installed 3rd party software into /opt or /usr/local, then it is
completely separate from RPM packages.  If you installed into somewhere
within /usr, I don't know.

In general there are tremendous time management benefits in sticking to
packages.  When these security alerts are released, protecting yourself
is a trivial amount of effort.  Alternatively you can keep around the
source trees that you used to install your 3rd party software, so
applying patches and re-installing is fairly quick.

Sometimes packages of a certain piece of software, or a patched version
of existing sofware don't exist.  What I do instead of keeping source
trees is grab the .src.rpm package, apply patches there and compile
custom packages.  This allows me to very easily keep track of exactly
what files are installed, what versions, and even a changelog all stored
within the RPM database.  This makes completely uninstalling stuff easy
too, no leftover crap from multiple versions of stuff you may have
installed in the past like in Windows.  (This happens slowly over time
in manually installed stuff on Unix too.)

I would highly recommend using a test box, and see if you can get your
Jakarta stuff working with Red Hat's official Apache and OpenSSL
packages.  It shouldn't take too long since all the Jakarta stuff seems
to be available in RPM packages too.  It may take some figuring, but it
is certainly possible.