From: "Mayers, Philip J" <p.mayers@ic.ac.uk> To: "'bugzilla@redhat.com'" <bugzilla@redhat.com>, redhat-watch-list@redhat.com Subject: RE: [RHSA-2001:078-05] Format string bug fixed Date: Wed, 20 Jun 2001 14:14:36 +0100 Cc: bugtraq@securityfocus.com, linux-security@redhat.com, security@redhat.com That's great - but did you even *bother* to check if the update works on RedHat 7.0? [root@unix-software i386]# cat /etc/redhat-release Red Hat Linux release 7.0 (Guinness) [root@unix-software i386]# rpm -qp --requires exim-3.22-13.i386.rpm <snip> libcrypto.so.1 <snip> libssl.so.1 <snip> [root@unix-software i386]# rpm -qa --provides | egrep 'libssl|libcrypto' libcrypto.so.0 libssl.so.0 libssl.so [root@unix-software i386]# rpm -q openssl --provides libcrypto.so.0 libssl.so.0 openssl = 0.9.5a-14 [root@unix-software i386]# rpm -Uvh exim-3.22-13.i386.rpm error: failed dependencies: libcrypto.so.1 is needed by exim-3.22-13 libssl.so.1 is needed by exim-3.22-13 *Wonderful* - you've shipped an update that no-one can apply, unless they update their OpenSSL package (an update you don't provide). Doubtless you built the RPM on RedHat 7.1, which has OpenSSL 0.9.6 and libcrypto.so.1 I like RedHat, but this is the third time you've done something like this in recent months: 1) Splitting glibc into glibc-common and glibc, which meant that the glibc update could not automatically be applied 2) Breaking the init script for the OpenSSH 2.5.2 release, which meant that if anyone applied the update whilst logged in over SSH, the SSH daemon restarted - this was because you switched to using the newer initscripts, which had a function in them that the older ones didn't. 3) Now this, an (old, not even version 3.30) Exim update that won't apply! Don't even get me started on the RPM4 update to 6.2, or the LDAP and crypto libraries (which weren't a core part of the system when you shipped it, but you made essential later on) - annoyingly enough, after making such sweeping changes you didn't ship OpenSSH (although you already had OpenSSL) for 6.2. You might take a lead from Debian's book, and exercise a little bit of discipline when making your packages, rather than letting a random intern ship updates to systems that people are using *in production*. Can I make a suggestion - when developing patches for an operating system, try doing it on the right version of the damn OS, rather than against RawHide, or whatever it is you do... Could you please re-issue this update, compiled on the right system this time? Regards, Phil +----------------------------------+ | Phil Mayers, Network Support | | Centre for Computing Services | | Imperial College | +----------------------------------+ -----Original Message----- From: bugzilla@redhat.com [mailto:bugzilla@redhat.com] Sent: 19 June 2001 21:40 To: redhat-watch-list@redhat.com Cc: bugtraq@securityfocus.com; linux-security@redhat.com; security@redhat.com Subject: [RHSA-2001:078-05] Format string bug fixed <snip broken update report>