[CentOS] Updating - CentOS Repository

Thu Jul 28 18:44:20 UTC 2005

On Wed, 2005-07-27 at 23:59 -0300, Claudio Castro wrote:
...
> So are you saying that the packet I found in the CentOS repository 
> (1.4.3) it's patched properly?

$ rpm -q --changelog -p squirrelmail-1.4.3a-9.EL4.centos4.noarch.rpm
* Tue Apr 12 2005 Johnny Hughes <johnny at centos.org> 1.4.3a-9.EL4.centos4

- remarked out the spash screen (RH/Fedora Trademark removal)

* Tue Feb 01 2005 Warren Togami <wtogami at redhat.com> 1.4.3a-9.EL4

- CAN-2005-0075 potential insecure file inclusions

* Mon Jan 31 2005 Warren Togami <wtogami at redhat.com> 1.4.3a-8.EL4

- CAN-2005-0103 for cross site scripting
- CAN-2005-0104 for code injectian via unsanitised integer variable

* Fri Nov 19 2004 Warren Togami <wtogami at redhat.com> 1.4.3a-7.EL4

- RHEL4
... etc., etc., etc. ...

>  when I do a "yum update" what im really doing?changing versions or not?
>  just updating to patched versions?

The patched versions will always have a new number.  Whether it's a new
version or one with backported patches or other incremental changes can
usually be determined by the packagename-M.N part of the name.

>  what if I want to install a new version of a package?

If it's in a compatible repo, and has a higher version, just add the
repo to your yum configuration (or alternate favorite package manager)
and update.

> what should i do to upgrade to a new version instead of a patched version?
> Anyway....why isnt the package of squirrelmail 1.4.5 in the repository?

Because RH chooses to do backports rather than new versions, and CentOS
generally follows RHEL.

> where can i find a description of the packages in the repository..i 
> mean...how can i know the real version..the patches applied to it..and etc.

See above.

> 
> Is there a way to use yum only to fix security problems? or that is what 
> it really do and i dont know it yet...the first time i run yum update..i 
> download a lot of packages..but how can i know if they are new version 
> or just security patches for my old ones...?

This has been discussed on several RH&derivatives lists.  Seems that
there's no easy way for yum to know a security update from a simple bug-
fix or enhancement.  Might turn up as a future feature.  Best you can do
now is look at the announcements and install only the security fixes,
but that seems like more trouble than it's worth.

> If i regulary use the yum update should I be relax that I have all my 
> packages up to date and with their security patches?

That's about the best you can do, unless you want to monitor the
security lists and roll your own patches.