Security updates for old Red Hat releases

Posted Nov 20, 2003 11:58 UTC (Thu) by maceto (guest, #16498) [Link]

Eh Debian can run for as long as your hardware goes. you only do apt-get update and apt-get upgrade to get the fixes- then when a new version comes out you do a apt-get dist-upgrade

Se you don`t wanna change kernel- use Se-linux or lids then, and lock it down totaly, should help you alot atleast for some time

Posted Nov 20, 2003 12:11 UTC (Thu) by NAR (subscriber, #1313) [Link]

I think you should have had updated to rh7.0, then rh7.1, rh7.2, etc. It is possible, however, this far from the machine it is quite risky. I must admit that it's much easier with Debian to issue an apt-get dist-upgrade, but then you should still reboot if e.g. glibc is upgraded.

Bye,NAR

Posted Nov 20, 2003 15:09 UTC (Thu) by smoogen (subscriber, #97) [Link]

Debian offers security releases for their releases usually only 6-8 months after the next stable release is done. However since stable releases are a slow process (no matter how many times the leaders want to move it to a once a year) you are pretty good.

The one thing to know is that this is all done by volunteers, and if they feel too put upon to release things (too many complaints, not enough help, too much virtual beer and not enough real beer) they have left or changed the release times to better fit their needs. I dont mean this to be a negative on Debian.. I mean it more that freeloaders (people who dont help (either on forums, documentation, patches, testing, etc) and only take) are probably the one thing that hurts it the most..

Posted Nov 20, 2003 15:52 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

I deal with 2 RH6.2 machines regularly, and have a REALLY old RH5.2 machine
sitting in the other room from me now... (The latter has currently been up
about 124 days...) The "end of life" of these releases isn't really as
scary as it might seem... Yes, when a major security hole comes up in
something you're running on these machines, you're pretty much on your own
to fix it... And, yes, sometimes that can be a real pain... (I certainly
wouldn't recommend anyone who isn't a programmer attempt to maintain old
releases on their own like this... You often have to get down and dirty
with the source, and fix up busted patches, or just code up the fix yourself
because no backported patch is available and the new one is too different to
apply, etc... It's not for the weak of heart... ;-) But, for a coder, it's
not really anything too difficult to cope with...) BUT, thankfully that seems
to be a fairly rare occurance... Yes, I've had to patch up sendmail and
sshd a couple times... But, that's about it... Over the course of I can't
even remember how many years that RH5.2 box has been around... We're talking
maybe 1 or 2 issues per year, at the most... No, that's not patching every
little thing that comes up; only the stuff that actually MATTERS for your
system... Eg: if you don't run sshd, there's no reason to patch it, since
it won't impact your security, one way or the other... And, it's also
still going with the back-porting approach, in general when possible, rather
than upgrading to the latest and greatest spiffy new versions... There are
many many cases where you'll see a series of repeated frequent bug reports
which only impact the newest version, due to some new feature they added
or some code rewrite they did, or something... With an older version, it's
generally more stable and proven, and you're probably best off not trying
to upgrade until you upgrade the entire system... (Of course, as with
everything, there ARE exceptions to this rule...) But, in my experience,
on this old EOL'd systems, there really aren't a constant flux of holes you
need to keep busy patching every single day, or anything... Things do come
up sometimes, but they seem fairly rare to me... *shrug*

Posted Nov 28, 2003 1:31 UTC (Fri) by mpaananen (guest, #17273) [Link]

Well, RH6.2 never shipped with sshd from Redhat, so you were on your own right from the start.