On Wed, 2005-07-27 at 23:59 -0300, Claudio Castro wrote:
...
> So are you saying that the packet I found in the CentOS repository
> (1.4.3) it's patched properly?
$ rpm -q --changelog -p squirrelmail-1.4.3a-9.EL4.centos4.noarch.rpm
* Tue Apr 12 2005 Johnny Hughes <johnny@xxxxxxxxxx> 1.4.3a-9.EL4.centos4
- remarked out the spash screen (RH/Fedora Trademark removal)
* Tue Feb 01 2005 Warren Togami <wtogami@xxxxxxxxxx> 1.4.3a-9.EL4
- CAN-2005-0075 potential insecure file inclusions
* Mon Jan 31 2005 Warren Togami <wtogami@xxxxxxxxxx> 1.4.3a-8.EL4
- CAN-2005-0103 for cross site scripting
- CAN-2005-0104 for code injectian via unsanitised integer variable
* Fri Nov 19 2004 Warren Togami <wtogami@xxxxxxxxxx> 1.4.3a-7.EL4
- RHEL4
... etc., etc., etc. ...
> when I do a "yum update" what im really doing?changing versions or not?
> just updating to patched versions?
The patched versions will always have a new number. Whether it's a new
version or one with backported patches or other incremental changes can
usually be determined by the packagename-M.N part of the name.
> what if I want to install a new version of a package?
If it's in a compatible repo, and has a higher version, just add the
repo to your yum configuration (or alternate favorite package manager)
and update.
> what should i do to upgrade to a new version instead of a patched version?
> Anyway....why isnt the package of squirrelmail 1.4.5 in the repository?
Because RH chooses to do backports rather than new versions, and CentOS
generally follows RHEL.
> where can i find a description of the packages in the repository..i
> mean...how can i know the real version..the patches applied to it..and etc.
See above.
>
> Is there a way to use yum only to fix security problems? or that is what
> it really do and i dont know it yet...the first time i run yum update..i
> download a lot of packages..but how can i know if they are new version
> or just security patches for my old ones...?
This has been discussed on several RH&derivatives lists. Seems that
there's no easy way for yum to know a security update from a simple bug-
fix or enhancement. Might turn up as a future feature. Best you can do
now is look at the announcements and install only the security fixes,
but that seems like more trouble than it's worth.
> If i regulary use the yum update should I be relax that I have all my
> packages up to date and with their security patches?
That's about the best you can do, unless you want to monitor the
security lists and roll your own patches.
