OpenSSL and OpenSSH vulnerabilities
Paul Howarth
paul at city-fan.org
Tue Oct 12 12:50:59 UTC 2004
Joseph Suarez wrote:
> As I understand it OpenSSL v 0.9.7a and OpenSSH v 3.6.1p2 used in FC2
> have had vulnerabilities for quite some time, as per the following
> advisories:
>
> (http://www.openssl.org/news/secadv_20040317.txt)
This references the following vulnerabilities:
CAN-2004-0079
CAN-2004-0112
Fixes for these issues are already included in the FC2 openssl RPMs:
$ rpm -q --changelog openssl | head -3
* Thu Mar 25 2004 Joe Orton <jorton at redhat.com> 0.9.7a-35
- add security fixes for CAN-2004-0079, CAN-2004-0112
> (http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:090)
This references the following vulnerability:
CAN-2003-0693
A look at the changelog for openssh reveals that this was fixed in the
3.6.1p2-11 openssh package way back in September 2003.
> My question is: are these vulnerabilities serious enough so that said
> libraries need to be updated, which leads to next question, as to where
> to find these updates (as there are presently none) on the FC2 updates
> mirror sites, in order to perform updates via "yum" for example?
>
> TIA, and please forgive my ignorance if thats the case :)
You really can't read too much into version numbers for distributors' packages
for security-related software. Fixes are often backported to earlier versions
for stability reasons.
Regards, Paul.
More information about the fedora-list
mailing list