Re: How do I verify a patch is applied?

From: Chris Morris (c.i.morris_at_durham.ac.uk)
Date: 07/08/03


Date: 08 Jul 2003 09:00:06 +0100

yong321@yahoo.com (Yong Huang) writes:
> Managers keep forwarding security alerts to us even though our Apache
> is running inside the firewall (the same with Oracle listeners and
> other products). So we apply the patch. But without knowing how the
> security hole is exploited, we can only show managers the output of
> httpd -v to prove our work. Are we supposed to have somebody really
> check by trying to hack? Applying security patches becomes tedious
> without knowing the exploit. But obviously we won't know it unless we
> spend a lot of time on hackers' forums. What's common practice?

Don't forget that some security fixes are against potential problems
for which no real-world exploit is known.

Also don't forget that being inside the firewall only helps if a) the
firewall works and b) the integrity of every other machine inside it
is good.

-- 
Chris