[CentOS] httpd - mysql - paypal.com.tar - hacker

Fri Aug 21 21:42:31 UTC 2009
Ray Van Dolson <rayvd at bludgeon.org>

On Fri, Aug 21, 2009 at 05:34:27PM -0400, Jim Perrin wrote:
> On Fri, Aug 21, 2009 at 5:17 PM, Ray Van Dolson<rayvd at bludgeon.org> wrote:
> 
> >  - Keep phpMyAdmin up to date.  Best way to do this is to use a
> >    package from a well known repository like EPEL that keeps the
> >    package at the latest version for you.
> 
> 
> I've not beaten EPEL up too much on things like this, but here is one
> instance where it counts. EPEL relies on its packagers to keep things
> current, and in a startling number of cases, they do not. Case in
> point is the wiki software, moin. Moin is at something like 1.8.x or
> 1.9.x now, and has several posted security issues, which have been
> fixed in the most recent versions. EPEL however is still shipping
> 1.5.9 ->
> http://download.fedora.redhat.com/pub/epel/5/i386/repoview/moin.html
> 
> Just because it's from a well known 3rd party repository doesn't mean
> it's fully patched. While your advice to use known repositories is
> good, please don't let it fool you into a false sense of security.

The upgrade from Moin 1.5.x to newer versions is not something that can
be automated (as I understand it).  Thus the decision was to leave Moin
as is and likely provide a newer moin18 or moin19 package (whatever the
latest is) in the interim and at some point obsolete the older version.
(Hopefully I didn't get that wrong)

Moin is a special case.  For the most part EPEL maintainers do a good
job of keeping things as up to date as they can.

Of course, as Jim pointed out, with any repository maintained by
volunteers (this includes rpmforge, CentOS-extras, etc), you're at the
whim of the packager.  Tread with adequate caution!  This is why
Sysadmins should have some skills of their own to identify packages
that might require a little extra TLC or to keep an eye on the
appropriate security mailing lists.

We all have a number of tools in our toolchests. :)

For the most part, however, I'm going to prefer a package from an
active repository like EPEL or rpmforge over handbuilding something
like phpMyAdmin every time there's a new release.

To each their own though...

Ray