[luau] slapper worm

Warren Togami warren at togami.com
Thu Sep 26 06:51:01 PDT 2002 

Why is RPM not very useful?  Please be aware that the version numbers
from Red Hat may be a bit confusing because Red Hat does not upgrade
versions with these security updates.  Instead they backport security
patches without bumping up the version number, so it may not be clear at
first glance if you are protected or not.

For example my Red Hat 7.3 system has openssl-0.9.6b-28.  (Use "rpm -qi
openssl" to query the information)  According to the advisory I'm at
risk, however I know I applied the official security update from Red Hat
back in July.  I can confirm this with
rpm -q openssl --changelog |less

Why did you not use Red Hat's automatic updating feature?  First thing
you should do after you install Red Hat is subscribe to Red Hat Network
and Entitle your system.  Nobody has any excuse because everyone has one
free Entitlement with RHN.  Entitlement gives you the following
convenient features:

* They e-mail you whenever there is a security or bugfix update
available for your system.
* You can login to your RHN account at http://rhn.redhat.com and see at
a glance which of your systems need what updates.  You can optionally
apply updates from this web based interface.
* Optionally you can use the up2date client in the entitled system.  The
GUI up2date client is called "Update Agent" in your System menu, and it
is as easy as point and click.
* The command line up2date client is very simple.  The following basic
commands can be used:

up2date -u
Update all packages that need updating except potentially disruptive
packages.

up2date -uf
Force an update of everything.  May take some manual intervention (like
rebooting) afterward in order to complete or fix minor configuration
files.  This is usually recommended because it doesn't often break
things, and it will fully upgrade your system.  Below is what it looks
like when I typed "up2date -uf" to upgrade my kernel on my home
firewall.  All automatic!

(Note that kernel updates install another kernel rather than remove the
old kernel.  This allows you to boot into the new kernel for testing in
the GRUB menu.  If the new kernel proves to be stable, you can remove
the old kernel with another rpm command.) 

[root at goku root]# up2date -uf

Retrieving list of all available packages...
########################################

Removing installed packages from list of updates...
########################################

Removing packages marked to skip from list...
########################################

Getting headers for skipped packages...
########################################
The following Packages were marked to be skipped by your configuration:

Name                                    Version        Rel  Reason
-------------------------------------------------------------------------------
kernel                                  2.4.18         10   Pkg
name/pattern

None of the packages you requested were found, or they are already
updated.
[root at goku root]# up2date -uf

Retrieving list of all available packages...
########################################

Removing installed packages from list of updates...
########################################

Getting headers for available packages...
########################################

Removing packages with files marked to skip from list...
########################################

Testing package set / solving RPM inter-dependencies...
########################################
Retrieving selected packages...
kernel-2.4.18-10.i686.rpm:  ########################## Done.
Preparing...                ###########################################
[100%]
   1:kernel                 ###########################################
[100%]

up2date is also nice for installing additional official software.  For
example if you want to use emacs but it isn't installed, simply type
"up2date emacs" and it will automatically download and install it for
you.

Most major distributions of Linux have some sort of automatic updating
facility.  If you're pissed off about the need for payment to Red Hat
Network for additional entitlements, then consider using Mandrake or
Debian instead which has free updates (though perhaps only 95% reliable
rather than 99.99% reliable because it depends on 3rd party sources). 
You can alternatively install apt-rpm on Red Hat which allows it to use
an APT enabled mirror (Videl is not APT enabled though I am considering
it.) for automatic updating.

I personally don't bother with the free alternatives up2date because $5
a month per machine is a small price for me to pay for my time.  I just
let Red Hat handle keep track of the security updates and send me e-mail
notices.  I can be fairly confident that Red Hat's update packages will
download reliably and have gone through extensive QA, unlike similar
update packages from Mandrake.  It is cheap and just works.

I never buy boxed sets of Red Hat, so this is my way of giving thanks to
the company. 

Red Hat is unique in that it isn't free for multiple systems and it
downloads only directly from Red Hat, although you can run your own
up2date server called "Current" within your own organization if you
want.  (Red Hat doesn't support it and doesn't approve of it, but too
bad, you can do whatever the heck you want with Open Source Software.) 
Here are a few of the automatic updating tools in different Linux
distributions.

Red Hat
CLI: up2date
GUI: "Update Agent"
Mandrake
CLI: urpmi
GUI: rpmdrake
Debian
CLI: apt-get
Gentoo
emerge
Conectiva
Hmm... something like rpm-get or apt-rpm

http://rhn.redhat.com
Please read the documentation on the Red Hat Network site and you'll
understand quickly.  Protect your systems with an Entitlement and it
will be easy to keep your system patched.  The OpenSSL vulnerability was
fixed back in July, and you would have received an automated notice from
Red Hat if you were subscribed to Red Hat Network.

More information about the LUAU mailing list