On Wed, 2005-07-27 at 23:59 -0300, Claudio Castro wrote: ... > So are you saying that the packet I found in the CentOS repository > (1.4.3) it's patched properly? $ rpm -q --changelog -p squirrelmail-1.4.3a-9.EL4.centos4.noarch.rpm * Tue Apr 12 2005 Johnny Hughes <johnny at centos.org> 1.4.3a-9.EL4.centos4 - remarked out the spash screen (RH/Fedora Trademark removal) * Tue Feb 01 2005 Warren Togami <wtogami at redhat.com> 1.4.3a-9.EL4 - CAN-2005-0075 potential insecure file inclusions * Mon Jan 31 2005 Warren Togami <wtogami at redhat.com> 1.4.3a-8.EL4 - CAN-2005-0103 for cross site scripting - CAN-2005-0104 for code injectian via unsanitised integer variable * Fri Nov 19 2004 Warren Togami <wtogami at redhat.com> 1.4.3a-7.EL4 - RHEL4 ... etc., etc., etc. ... > when I do a "yum update" what im really doing?changing versions or not? > just updating to patched versions? The patched versions will always have a new number. Whether it's a new version or one with backported patches or other incremental changes can usually be determined by the packagename-M.N part of the name. > what if I want to install a new version of a package? If it's in a compatible repo, and has a higher version, just add the repo to your yum configuration (or alternate favorite package manager) and update. > what should i do to upgrade to a new version instead of a patched version? > Anyway....why isnt the package of squirrelmail 1.4.5 in the repository? Because RH chooses to do backports rather than new versions, and CentOS generally follows RHEL. > where can i find a description of the packages in the repository..i > mean...how can i know the real version..the patches applied to it..and etc. See above. > > Is there a way to use yum only to fix security problems? or that is what > it really do and i dont know it yet...the first time i run yum update..i > download a lot of packages..but how can i know if they are new version > or just security patches for my old ones...? This has been discussed on several RH&derivatives lists. Seems that there's no easy way for yum to know a security update from a simple bug- fix or enhancement. Might turn up as a future feature. Best you can do now is look at the announcements and install only the security fixes, but that seems like more trouble than it's worth. > If i regulary use the yum update should I be relax that I have all my > packages up to date and with their security patches? That's about the best you can do, unless you want to monitor the security lists and roll your own patches.