[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSL 0.9.7a seems to be vulnerable (was: Re: LKM Trojan)



James Mckenzie said:
>> $ rpm -q --changelog openssl
>> ... (snip)
>> * Thu Mar 25 2004 Joe Orton <jorton redhat com> 0.9.7a-35
>>
>>
>> - add security fixes for CAN-2004-0079, CAN-2004-0112
>> ... (snip)
>>
>>
>> Moral of story: don't trust version numbers of packages.
>>
>
> You are correct.  However there were two security releases after this
> update.

Not according to the changelog.
http://www.openssl.org/news/changelog.html

> I still lean towards installing OpenSSL 0.9.7e directly from the
> OpenSSL web site.  However, there may be a further release through the FC
> Updates site.  In order to properly install the direct download, I would
> have to rpm -e (or yum remove) the installed rpm from FC and then install
> (and hope I don't break anything) the OpenSSL code.  This is an
> "advantage" of living on the "Bleeding Edge".

Which is your prerogative.  Once has to ask, though, if you are going to
break the packaging system, why bother using one in the first place.

--
William Hooper


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]