[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSL 0.9.7a seems to be vulnerable (was: Re: LKM Trojan)



Paul:

>FC3 is using the following RPM:
>
>$ rpm -q openssl
>openssl-0.9.7a-40
>
>An examination of the changelog for this RPM shows that patches for various 
>security vulnerabilities affecting openssl 0.9.7a have been included in this 
>version:
>
>$ rpm -q --changelog openssl
>... (snip)
>* Thu Mar 25 2004 Joe Orton <jorton redhat com> 0.9.7a-35
>
>- add security fixes for CAN-2004-0079, CAN-2004-0112
>... (snip)
>
>Moral of story: don't trust version numbers of packages.

You are correct.  However there were two security releases after this update.  I still lean towards installing OpenSSL 0.9.7e directly from the OpenSSL web site.  However, there may be a further release through the FC Updates site.  In order to properly install the direct download, I would have to rpm -e (or yum remove) the installed rpm from FC and then install (and hope I don't break anything) the OpenSSL code.  This is an "advantage" of living on the "Bleeding Edge".


James McKenzie
A Proud User of Linux!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]