On Wed, Feb 23, 2011 at 10:23 PM, John R Pierce pierce@hogranch.com wrote:
On 02/23/11 6:08 PM, Machin, Greg wrote:
Hi.
I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to.
to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers.
sadly, this is too common.
No, it's actually useful. Backporting is painful, expensive, and often unreliable, and leaves various any unpublished zero-day exploits in the wild. It also indicates feature incompatibility with other tools that rely on the new features.
I went through this last week with OpenSSH version 5.x (not currently available for RHEL or CentOS 5 except by third party provided software), and bash. Turns out that OpenSSH 5.x doesn't read your .bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this for normal use by updating bash so it gets handled more like people expect it to behave, but I had users very upset that the new OpenSSH with the new features did not handle their reset PATH settings from their .bashrc.