[svlug] rpm tips: full version including epoch, CVEs fixed via backport

Mark - Syminet mark at symonds.net
Fri Nov 30 15:45:46 PST 2012


On Nov 29, 2012, at 10:11 AM, Rick Moen <rick at linuxmafia.com> wrote:

> Quoting Dan Mashal (dan.mashal at gmail.com):
> 
>> Every CVE is an "emergency". Every security issue "critical". Everything
>> MUST be encrypted. 3 times.
>> 
>> Biggest scam artists in the industry in the last few years.
> 
> I would guess you've encountered PCI compliance.  ;->
> 

Can't help but chime in here; wrangling with these companies has chapped 
my hide for years as well, and it seems lately one in particular has decided 
to go on one of their little "rampages" again, failing people when they shouldn't 
and generally wreaking havoc everywhere they go.  Not only that but they *intentionally* 
appear to throw away epoch numbers in order to ding their customers for the 
extra fees.  For example an Ubuntu webserver they failed, we already provide 
the epoch info in the headers: 

syminair:etc mark$ curl -I example.com 2>&1 |grep X-Powered
X-Powered-By: PHP/5.3.2-1ubuntu4.18
syminair:etc mark$ 

…so they already have it, but they ignore everything after the hyphen and fail 
on the base version number alone.  On debian/ubuntu I've resorted to providing 
them with a dump of every package+version on the system like so: 

dpkg -l |grep ii |awk '{ print $2 " " $3 }' |column -t 

...copy/paste into mail and ask them to explain exactly which packages are not 
CVE patched.  

-- 
Mark 






More information about the svlug mailing list