Re: [FLSA-2006:195418] Updated sendmail packages fix security issue

[Lawrence Houston <legacy@xxxxxxxxxxxxxxxxxxxxx>]

David:

On Mon, 30 Oct 2006, David Eisenstein wrote:

> Lawrence Houston wrote:
> > Subject: Re: [FLSA-2006:195418] Updated sendmail packages fix security issue
> > From: Lawrence Houston <legacy -AT- greenfield.dyndns.org>
> > Date: Sun, 29 Oct 2006 09:34:17 -0500 (EST)
> > To: fedora-legacy-announce@xxxxxxxxxx
> > On Sun, 29 Oct 2006, Lawrence Houston wrote:
> >
> > > On Sun, 29 Oct 2006, fedora-legacy-announce@xxxxxxxxxx wrote:
> > >
> > > > Red Hat Linux 7.3:
> > > > SRPM:
> > > > http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/sendmail-8.12.11-4.22.11.legacy.src.rpm
> > > >
> > > > i386:
> > > > http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-8.12.11-4.22.11.legacy.i386.rpm
> > > > http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm
> > > > http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-devel-8.12.11-4.22.11.legacy.i386.rpm
> > > > http://download.fedoralegacy.org/redhat/7.3/updates/i386/sendmail-doc-8.12.11-4.22.11.legacy.i386.rpm
> > >
> > > For the Red Hat 7.3 Distribution the above updates can also be found
> > > within the "updates-testing" Area:
> > >
> > > SRPM:
> > > http://download.fedoralegacy.org/redhat/7.3/updates-testing/sendmail-0-8.12.11-4.22.11.legacy.i386.rpm
> > >
> > > i386:
> > > http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-0-8.12.11-4.22.11.legacy.i386.rpm
> > > http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-cf-0-8.12.11-4.22.11.legacy.i386.rpm
> > > http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-devel-0-8.12.11-4.22.11.legacy.i386.rpm
> > > http://download.fedoralegacy.org/redhat/7.3/updates-testing/i386/sendmail-doc-0-8.12.11-4.22.11.legacy.i386.rpm
> > >
> > > Which means the final release of these updates will NOT be available
> > > by YUM until the comments around the "updates-testing" section of
> > > yum.conf have been removed!!!  My understanding is this should NOT be
> > > required since the same updates should NOT appear in both areas???
> >
> > A similar pattern repeats for the Red Hat 9 Distribution...  Secondly I
> > failed to notice the leading '0' on the Major Release Number such that
> > removing the comments around the "updates-testing" sections still will
> > NOT allow the July 27th Sendmail Updates to be applied...  The net
> > effect being the July 27th Update are being "held back", either on
> > purpose or because of an over-sight???
> >
> > Lawrence Houston  --  (legacy@xxxxxxxxxxxxxxxxxxxxx)
>
> I think there is something wrong with the header files that yum depends on to
> do updates.  Perhaps our 'push-to-update' scripts did not generate them cor-
> rectly, or they may not have been pushed correctly from the build server to
> download.fedoralegacy.org.  We're looking into that.
>
> Are messages you see that display the URL that have 'sendmail-*0-*.i386.rpm' being
> generated by the yum program?  No such URL's were included in the Fedora Legacy
> Security Advisory FLSA-2006:195418, so I was wondering where you saw them.

After I uncommented the "updates-testing" section witin yum.conf YUM 
complains about the MD5 Signatures failing, which was before I noticed the 
headers within "updates-testing" following that "strange" pattern with 
that leading "0-" on their version numbers:

Error: MD5 Signature check failed for /var/cache/yum/updates-testing/packages/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm

The above RPM within my YUM Cache Tree is a very small HTML "like" File 
containing a message about the RPM not existing within "updates-testing":

The requested URL /redhat/7.3/updates-testing/i386/sendmail-cf-8.12.11-4.22.11.legacy.i386.rpm was not found on this server.

Which is in keeping with your observations that the RPMs do NOT actually 
exist within "updates-testing", with an apparent error in the Header 
Generation...  Also the above error messages do NOT include the leading 
"0-" within the "displayed" version numbers, those I see by Browsing the 
Headers on Legacy's Web Site within the "updates-testing" tree...  You are 
correct I did NOT see those RPMs within "update-testing" on Legacy's Web 
Site!!!

NOTE: with "updates-testing" commented out of yum.conf, YUM is still fails 
to detect the July 27th SENDMAIL Updates within "updates" (which should be 
installed)???  YUM claims there are NO Packages are available for Update, 
which is NOT True since the July 27th SENDMAIL Updates should applied!!!

> In the meantime, if you wish to update these files manually, you can download
> them with wget or a web browser using the URLs given in the Advisory message.  You
> can then use the 'rpm -U' command (as user root) to update the sendmail packages.
> That will do the same thing that yum should have done.

Lawrence Houston  --  (legacy@xxxxxxxxxxxxxxxxxxxxx)

--
fedora-legacy-list mailing list
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list