Hi,
Reading http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=3... I noticed a warning about an upcoming bugged update xorg-x11-server-utils-7.1-5.el5_6.1
I would advise everyone to add exclude=xorg-x11-server-utils-7.1-5.el5_6.1 to their updates repo config.
Regards, Leonard.
On 04/17/2011 03:56 PM, Leonard den Ottolander wrote:
Hi,
Reading http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=3... I noticed a warning about an upcoming bugged update xorg-x11-server-utils-7.1-5.el5_6.1
I would advise everyone to add exclude=xorg-x11-server-utils-7.1-5.el5_6.1 to their updates repo config.
this sounds like extremely bad advice.
- KB
centos-bounces@centos.org wrote:
On 04/17/2011 03:56 PM, Leonard den Ottolander wrote:
Hi,
Reading
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=309 39&forum=37 I noticed a warning about an upcoming bugged update xorg-x11-server-utils-7.1-5.el5_6.1
I would advise everyone to add exclude=xorg-x11-server-utils-7.1-5.el5_6.1 to their updates repo config.
this sounds like extremely bad advice.
Not as bad, however, as installing the update.
To be pedantic, a crashed system is bug-immune. Totally. This is not a preferred tactic, outside the Amish community (which hasn't had a hostile computer security escalation event in 300 years).
Security vulnerabilities are not good.
Crashed systems (or crashed major components thereof such as GUI) are worse. Don't install the update, wait for one that works without crashing/trashing major system components. SL has such an update, so we've heard here on this list.
Insert spiffy .sig here: Life is complex: it has both real and imaginary parts.
//me ******************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated**
On 04/18/2011 03:34 PM, Brunner, Brian T. wrote:
exclude=xorg-x11-server-utils-7.1-5.el5_6.1 to their updates repo config.
this sounds like extremely bad advice.
Not as bad, however, as installing the update.
Jim put it a lot better than me, if you are going to post things like that - make sure its the complete story in one place.
lets hope the fix from upstream comes through soon
- KB
On 04/19/2011 06:19 AM, Karanbir Singh wrote:
On 04/18/2011 03:34 PM, Brunner, Brian T. wrote:
exclude=xorg-x11-server-utils-7.1-5.el5_6.1 to their updates repo config.
this sounds like extremely bad advice.
Not as bad, however, as installing the update.
Jim put it a lot better than me, if you are going to post things like that - make sure its the complete story in one place.
lets hope the fix from upstream comes through soon
- KB
On Sun, Apr 17, 2011 at 10:56 AM, Leonard den Ottolander leonard@den.ottolander.nl wrote:
Hi,
Reading http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=3... I noticed a warning about an upcoming bugged update xorg-x11-server-utils-7.1-5.el5_6.1
Have you tested these updates to see if you have experienced any issue? Documenting symptoms people should watch for so that they can make their own decisions is far better than simply recommending that you exclude the update entirely. Recommending that people exclude something that may or may not impact them simply on the basis of one thread in the forums probably isn't the best approach.
I would advise people to always test updates if they are to be applied to critical systems.
On Mon, Apr 18, 2011 at 07:40:53AM -0400, Jim Perrin wrote:
On Sun, Apr 17, 2011 at 10:56 AM, Leonard den Ottolander leonard@den.ottolander.nl wrote:
Hi,
Reading http://www.centos.org/modules/newbb/viewtopic.php?topic_id=30939&forum=3... I noticed a warning about an upcoming bugged update xorg-x11-server-utils-7.1-5.el5_6.1
Have you tested these updates to see if you have experienced any issue? Documenting symptoms people should watch for so that they can make their own decisions is far better than simply recommending that you exclude the update entirely.
I confirm that the update crashes gnome-panel. The panel bars are displayed void of contents upon login.
Updating the packet and dependencies using the SL fix, as suggested in the link, fixes the issue although it removes a security patch.
Mihai
Hello Mihai,
On Mon, 2011-04-18 at 15:56 +0200, Mihai T. Lazarescu wrote:
I confirm that the update crashes gnome-panel. The panel bars are displayed void of contents upon login.
The gnome panel crashes are caused by the glibc update which is the main subject of that thread. This xorg-x11-server-utils is a different and perhaps not quite as severe issue as the one with glibc. This update breaks xrdb, the binary it is supposed to fix. No other binaries are affected, so it's the choice between a functional binary with a moderately severe vulnerability or a non functional binary.
Regards, Leonard.
On Mon, Apr 18, 2011 at 04:45:46PM +0200, Leonard den Ottolander wrote:
On Mon, 2011-04-18 at 15:56 +0200, Mihai T. Lazarescu wrote:
I confirm that the update crashes gnome-panel. The panel bars are displayed void of contents upon login.
The gnome panel crashes are caused by the glibc update which is the main subject of that thread. This xorg-x11-server-utils is a different and perhaps not quite as severe issue as the one with glibc. This update breaks xrdb, the binary it is supposed to fix. No other binaries are affected, so it's the choice between a functional binary with a moderately severe vulnerability or a non functional binary.
Leonard,
You're perfectly right, sorry for messing things up.
I indeed updated glibc and nscd from the SL fix to restore panel functionality.
Regards,
Mihai
Hello Jim,
On Mon, 2011-04-18 at 07:40 -0400, Jim Perrin wrote:
Have you tested these updates to see if you have experienced any issue? Documenting symptoms people should watch for so that they can make their own decisions is far better than simply recommending that you exclude the update entirely.
A description of the symptoms can be found in the upstream bug report for which a link can be found in the forum thread. Perhaps I should have linked the upstream report and I agree I should have mentioned the symptoms.
https://bugzilla.redhat.com/show_bug.cgi?id=695603
"xrdb in the xorg-x11-server-utils-7.1-5.el5_6.1.x86_64 package passes broken defines through sh to cpp causing sh to fail parsing the command line, thus failing to preprocess the xresources file passed and not loading anything."
It was discussed in the thread about the glibc breakage that my wording should be more careful and definitely less general, but as always, people can always make their own decisions, but you cannot anticipate on issues you aren't aware of.
Recommending that people exclude something that may or may not impact them simply on the basis of one thread in the forums probably isn't the best approach.
If I read the upstream advisory https://rhn.redhat.com/errata/RHSA-2011-0433.html correctly this update contains a fix for a single vulnerability for xrdb. No other binaries are affected. All it does is replace a vulnerable but functional binary with a non functional version causing the Xresources not to be loaded.
Also the exclude option I suggest is version specific, which means you do not run the risk of not receiving future updates of this package.
Regards, Leonard.
On 04/18/2011 09:02 AM, Leonard den Ottolander wrote:
Hello Jim,
On Mon, 2011-04-18 at 07:40 -0400, Jim Perrin wrote:
Have you tested these updates to see if you have experienced any issue? Documenting symptoms people should watch for so that they can make their own decisions is far better than simply recommending that you exclude the update entirely.
A description of the symptoms can be found in the upstream bug report for which a link can be found in the forum thread. Perhaps I should have linked the upstream report and I agree I should have mentioned the symptoms.
https://bugzilla.redhat.com/show_bug.cgi?id=695603
"xrdb in the xorg-x11-server-utils-7.1-5.el5_6.1.x86_64 package passes broken defines through sh to cpp causing sh to fail parsing the command line, thus failing to preprocess the xresources file passed and not loading anything."
It was discussed in the thread about the glibc breakage that my wording should be more careful and definitely less general, but as always, people can always make their own decisions, but you cannot anticipate on issues you aren't aware of.
Recommending that people exclude something that may or may not impact them simply on the basis of one thread in the forums probably isn't the best approach.
If I read the upstream advisory https://rhn.redhat.com/errata/RHSA-2011-0433.html correctly this update contains a fix for a single vulnerability for xrdb. No other binaries are affected. All it does is replace a vulnerable but functional binary with a non functional version causing the Xresources not to be loaded.
Also the exclude option I suggest is version specific, which means you do not run the risk of not receiving future updates of this package.
Thanks for putting the info for this package on the list.
I agree with some of the others that each user should decide for themselves if they want to install the update, but regardless, getting the info out for them to see beforehand is a good thing.
On 04/18/2011 09:02 AM, Leonard den Ottolander wrote:
Hello Jim,
On Mon, 2011-04-18 at 07:40 -0400, Jim Perrin wrote:
Have you tested these updates to see if you have experienced any issue? Documenting symptoms people should watch for so that they can make their own decisions is far better than simply recommending that you exclude the update entirely.
A description of the symptoms can be found in the upstream bug report for which a link can be found in the forum thread. Perhaps I should have linked the upstream report and I agree I should have mentioned the symptoms.
https://bugzilla.redhat.com/show_bug.cgi?id=695603
"xrdb in the xorg-x11-server-utils-7.1-5.el5_6.1.x86_64 package passes broken defines through sh to cpp causing sh to fail parsing the command line, thus failing to preprocess the xresources file passed and not loading anything."
It was discussed in the thread about the glibc breakage that my wording should be more careful and definitely less general, but as always, people can always make their own decisions, but you cannot anticipate on issues you aren't aware of.
Recommending that people exclude something that may or may not impact them simply on the basis of one thread in the forums probably isn't the best approach.
If I read the upstream advisory https://rhn.redhat.com/errata/RHSA-2011-0433.html correctly this update contains a fix for a single vulnerability for xrdb. No other binaries are affected. All it does is replace a vulnerable but functional binary with a non functional version causing the Xresources not to be loaded.
Also the exclude option I suggest is version specific, which means you do not run the risk of not receiving future updates of this package.
It also seems this is fixed by this update:
On 04/19/2011 12:21 PM, Johnny Hughes wrote:
It also seems this is fixed by this update:
pushing this one through manually, so it goes through real quick :)
-
Brunner, Brian T. -
Jim Perrin -
Johnny Hughes -
Karanbir Singh -
Leonard den Ottolander -
Mihai T. Lazarescu