On Wed, 2005-07-27 at 23:59 -0300, Claudio Castro wrote: ...
So are you saying that the packet I found in the CentOS repository (1.4.3) it's patched properly?
$ rpm -q --changelog -p squirrelmail-1.4.3a-9.EL4.centos4.noarch.rpm * Tue Apr 12 2005 Johnny Hughes johnny@centos.org 1.4.3a-9.EL4.centos4
- remarked out the spash screen (RH/Fedora Trademark removal)
* Tue Feb 01 2005 Warren Togami wtogami@redhat.com 1.4.3a-9.EL4
- CAN-2005-0075 potential insecure file inclusions
* Mon Jan 31 2005 Warren Togami wtogami@redhat.com 1.4.3a-8.EL4
- CAN-2005-0103 for cross site scripting - CAN-2005-0104 for code injectian via unsanitised integer variable
* Fri Nov 19 2004 Warren Togami wtogami@redhat.com 1.4.3a-7.EL4
- RHEL4 ... etc., etc., etc. ...
when I do a "yum update" what im really doing?changing versions or not? just updating to patched versions?
The patched versions will always have a new number. Whether it's a new version or one with backported patches or other incremental changes can usually be determined by the packagename-M.N part of the name.
what if I want to install a new version of a package?
If it's in a compatible repo, and has a higher version, just add the repo to your yum configuration (or alternate favorite package manager) and update.
what should i do to upgrade to a new version instead of a patched version? Anyway....why isnt the package of squirrelmail 1.4.5 in the repository?
Because RH chooses to do backports rather than new versions, and CentOS generally follows RHEL.
where can i find a description of the packages in the repository..i mean...how can i know the real version..the patches applied to it..and etc.
See above.
Is there a way to use yum only to fix security problems? or that is what it really do and i dont know it yet...the first time i run yum update..i download a lot of packages..but how can i know if they are new version or just security patches for my old ones...?
This has been discussed on several RH&derivatives lists. Seems that there's no easy way for yum to know a security update from a simple bug- fix or enhancement. Might turn up as a future feature. Best you can do now is look at the announcements and install only the security fixes, but that seems like more trouble than it's worth.
If i regulary use the yum update should I be relax that I have all my packages up to date and with their security patches?
That's about the best you can do, unless you want to monitor the security lists and roll your own patches.