Re: How do I verify a patch is applied?
From: Chris Morris (c.i.morris_at_durham.ac.uk)
Date: 08 Jul 2003 09:00:06 +0100
email@example.com (Yong Huang) writes:
> Managers keep forwarding security alerts to us even though our Apache
> is running inside the firewall (the same with Oracle listeners and
> other products). So we apply the patch. But without knowing how the
> security hole is exploited, we can only show managers the output of
> httpd -v to prove our work. Are we supposed to have somebody really
> check by trying to hack? Applying security patches becomes tedious
> without knowing the exploit. But obviously we won't know it unless we
> spend a lot of time on hackers' forums. What's common practice?
Don't forget that some security fixes are against potential problems
for which no real-world exploit is known.
Also don't forget that being inside the firewall only helps if a) the
firewall works and b) the integrity of every other machine inside it