On 02/24/2011 07:12 AM, Nico Kadel-Garcia wrote:
On Wed, Feb 23, 2011 at 10:23 PM, John R Pierce pierce@hogranch.com wrote:
On 02/23/11 6:08 PM, Machin, Greg wrote:
Hi.
I have had an enquiry from the Network and Security guy. He wants to know why CentOS 5.5 /RHEL 5 is using a very old version of bind “bind-chroot-9.3.6-4.P1.el5_5.3” when the latest release that has many security fixes is on 9.7.3 . I understand that its to maintain a known stable platform by in introducing new elements etc .. Is there an official explanation / document that I can direct him to.
to put it bluntly, your security guy is pretty much worthless as such if he thinks security is audited by checking version numbers.
sadly, this is too common.
No, it's actually useful. Backporting is painful, expensive, and often unreliable, and leaves various any unpublished zero-day exploits in the wild. It also indicates feature incompatibility with other tools that rely on the new features.
The above may or may not be true (I think red hat does a very good job of addressing security and stability with backporting) ... BUT ... if you do not like backports, then RHEL (and since we rebuild those sources, CentOS) is not the distribution that you want to be using. Backporting is what red hat does to fix most security issues. If you have a philosophical problem with backporting (many people do, that is their prerogative) then some other enterprise Linux version would be a much better choice.
I am not saying this to be a smart a$$ or be negative ... just saying that other enterprise distributions exist that provide long term stability without backports ... Unbuntu LTS is a free example. They also provide integration of all their system libraries and audit their software for security compliance.
I went through this last week with OpenSSH version 5.x (not currently available for RHEL or CentOS 5 except by third party provided software), and bash. Turns out that OpenSSH 5.x doesn't read your .bashrc for non-login sessions, OpenSSH 4.x did. RHEL 6 addressed this for normal use by updating bash so it gets handled more like people expect it to behave, but I had users very upset that the new OpenSSH with the new features did not handle their reset PATH settings from their .bashrc.
I would think that using an enterprise distribution of Linux where several hundreds of developers are testing the integration would serve you better than building your own openssh, your own bind, your own "everything else" and trying to bolt it onto the backport model that red hat uses to keep your stuff secure.