Is my package fixed? Or: How to look into RPMs

Procedure 1. How to find out what HAS been changed:

1. get the original source RPM as distributed on the CDs ("zq" or "src" directory)

2. get the "fixed" package (see the security announcement, it contains the link to where to find it.)

3. compare the changelogs of the packages:

   	rpm -qp --changelog /path/to/old.rpm > /tmp/old.changes 
   	rpm -qp --changelog /path/to/new.rpm > /tmp/new.changes 
   	diff -u /tmp/old.changes /tmp/new.changes | grep "^+"
   	

4. compare the file lists (just for an overview):

       	/usr/lib/rpm/rpmdiff /path/to/old.rpm /path/to/new.rpm
   	

   This step would very likely show you that a patch file that has been added.

5. to look further, unpack the source RPMs:

       	mkdir old; ( cd old; rpm2cpio /path/to/old.rpm | cpio -i --make-directories )
       	mkdir new; ( cd new; rpm2cpio /path/to/new.rpm | cpio -i --make-directories )
   	

6. compare the two directories:

       diff -uNr old new | less
   	

   or

       diff -uNr old new | view - -c "syntax on" 
   	

   if you like it colorful. Or, pipe it into diffstat, or print it out via pdiff :-)

Procedure 2. How to find out what SHOULD have been changed:

1. get the most recent sources (i.e. the fixed version) of, for example, openssl.

2. get the second most recent sources (the vulnerable version).

3. untar both of them.

4. read and compare the ChangeLog or CHANGES files (or a similar file).

5. run a recursive diff about the two source directories to review the changes.