Why does it take so long for new (gimp, kernels, openoffice) packages to reach the stable repo ?
Kevin Kofler
kevin.kofler at chello.at
Fri Oct 17 23:12:41 UTC 2008
Rick Stevens <ricks <at> nerd.com> writes:
> you really need to run 0.9.8h or 0.9.8i because of security issues.
No you don't. The only security advisory released after 0.9.8g is this:
http://www.openssl.org/news/secadv_20080528.txt
(There's another one on their site, but that's for openssl-fips, not openssl
itself. That's a separate tarball which is not shipped in Fedora at all.)
The security issues this fixes are CVE-2008-0891 and CVE-2008-1672. They are
fixed for Fedora 9 in openssl-0.9.8g-9.fc9:
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01029.html
The old versions of OpenSSL in Fedora 8 are not affected by either of those
vulnerabilities (they were both introduced only in 0.9.8f), that's why no
security update for Fedora 8 or RHEL/CentOS has been issued.
Don't believe the version numbers alone. Red Hat often backports security
fixes, especially for RHEL, but also for Fedora in cases like OpenSSL where
every new version is incompatible with the previous ones. You can trust the Red
Hat and Fedora security teams to know what they are doing and to issue security
updates where appropriate.
Kevin Kofler
More information about the fedora-list
mailing list