"Updating" to a parent version of software (namely, non-Red Hat) may introduce more vulnerabilities because Red Hat often is careful in security to attempt where possible to make their editions of software more secure than the Open Source parent editions. Red Hat has attached CVE names to all it's advisories since January 2000, allowing all to easily cross-reference vulnerabilities and find out how and when Red Hat fixed them, independent of version numbers. Since the introduction of Red Hat Enterprise Linux, Red Hat has been careful to explain in it's security advisories how it fixed an issue: by moving to a new upstream version, or by backporting patches to the existing version. This can cause confusion as even after installing updated packages from a vendor, it is not likely to have the latest upstream version, but rather have an older upstream version with backported patches applied. For example, stories in the press may include phrases such as "upgrade to Apache httpd 2.0.43 to fix the issue", which only takes into account the upstream version number. Backporting has a number of advantages, but it can create confusion when it is not understood. What is Red Hat Backporting and this below quoted example from that link explains this further. So the idea of "newer rpm" without keeping backporting in mind is a bit of a misnomer. There are certainly higher number versions in the open-source editions, however, with backporting, Red Hat cherry picks open-source project editions of given software such as Apache and often does not bring over the same inherent security flaws such as this example with log4j Red Hat Linux itself was not vulnerable, see this link where the parent Open Source project WAS vulnerable, the former link shows Red Hat's backported edition was not. To answer your question (scrolling up higher in this discussion).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |