[lug] Where to get security-patched rpms?

Matt Thompson thompsma at colorado.edu
Sat Jul 24 15:33:53 MDT 2004 

Bill Thoen wrote:
> Thanks for the help yesterday on compiling source RPMs. I did manage to
> rebuild PHP 4.2.2, adding in MySQL support, and it works great now. The
> source RPM had some patch files which I applied with 'patch' before  
> recompiling manually, and for once, I had no problems!
> 
> But I noticed that the newest patches were dated some time last year and I
> understand that there's been a new security hole found in PHP within the
> last month, which has been fixed in PHP 5. Because PHP 5 wants a newer
> version of Apache than I have on my RH 9 box, I wasn't able to compile
> this PHP 5 source (which I'd need to do to get MySQL support) and I'm not
> yet brave enough to try to rebuild Apache. (There seems to be a lot of 
> other RPMs that depend on the httpd RPM.)
> 
> So, is there any place where source RPMs are available with the latest 
> security fixes, but not necessarily any new features? I'm perfectly happy 
> with PHP 4.2.2, but only if I can be sure it's not going to get hacked. I 
> searched around on RedHat.com but I couldn't find anywhere where they 
> support RH 9 errata. Do they no longer support version 9?

While RH 9 was EOLed a while back, the Fedora Legacy Project is still 
packaging for it:

http://www.fedoralegacy.org/

They currently have ended support for RH 7.2 and 8.0, but they are still 
doing 9.0.  They have php-*-4.2.2-17.2 right now with a date of 
01-Jul-2003, so I'm not sure PHP themselves care about it.  It could be 
non-maintained.

So, the next thing to do is to get 4.3.8, which has been patched very 
recently.  Stuart Low, who does MySQL, PHP, httpd, et al., has packaged 
it for RH 9 (and many others):

http://www.redhat.com/archives/fedora-legacy-list/2004-July/msg00076.html

If you are keeping an RH 9 system around, I recommend watching the 
fedora-legacy list and, even, adding the FL repo in yum/apt.

HTH,
Matt

-- 
Learning just means you were wrong and they were right. - Aram
    Matt Thompson -- http://ucsub.colorado.edu/~thompsma/
    440 UCB, Boulder, CO  80309-0440
    JILA A510, 303-492-4662

More information about the LUG mailing list