Re: Patch management tool

From: James Riden (j.riden@massey.ac.nz)
Date: Thu Sep 09 2004 - 20:59:25 EDT

• Next message: Alex Butcher, ISC/ISYS: "Re: Achilles proxy for linux"
• Previous message: 4secure@web.de: "virus product pentest"
• In reply to: Todd Towles: "RE: Patch management tool"
• Next in thread: Todd Towles: "RE: Patch management tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

"Todd Towles" <toddtowles@brookshires.com> writes:

> Patrick is right, Red Hat will patch services but doesn't change the
> default version number in their banners. That way, you don't really know
> what level a service is, if you are trying to attack it.
>
> I did a "rpm -q OpenSSH" and it came back with a older version. Maybe it
> was patched and I couldn't tell..it is possible. But I know for sure I
>
>
> I can't remember the term for this process (patching without changing
> the presented version) but I do know that RH does it.

% rpm -q kernel
kernel-2.4.22-1.2188.nptl

2.4.22 is the kernel version that was used as the base
1.2188 is a number that presumably means something to someone at Red Hat.

Redhat tend to backport security fixes into their current version -
this is done for stability reasons. When they do this, they rev the
number after the last '-', e.g. as in openssh-3.6.1p2-19.

> This is a cool trick but in my mind it doesn't protect you very
> much.

It does protect you - the fix is there, but it does mean you get
e.g. nessus reporting openssh as vulnerable when it's not.

-- 
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Alex Butcher, ISC/ISYS: "Re: Achilles proxy for linux"
• Previous message: 4secure@web.de: "virus product pentest"
• In reply to: Todd Towles: "RE: Patch management tool"
• Next in thread: Todd Towles: "RE: Patch management tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT