Redhat and OpenSSL Manner
Aleksandar Milivojevic
alex at milivojevic.org
Thu Dec 21 15:02:21 UTC 2006
Quoting Vahric MUHTARYAN <vahric at doruk.net.tr>:
> Hello ,
>
> We are scanning our web servers for vulnerability but I have a
> problem on one thing. I red that redhat never change version of
> openssl but it's updating . it just only add additional numbers
> behind of packet. like below but I don't know is this version equal
> to 0.9.7l or 0.9.8d . Anybody have knowledge about it ?
>
> openssl-0.9.7a-43.14
It's equivalent to 0.9.7a as originally distributed by OpenSSL
project, with security and bug fixes added to it by Red Hat. The
package is always built from version of source it is claiming to be,
with security and bug patches applied to it.
The rule of thumb is, the version is always what it says it is. With
security and bug fixes backported from newer versions. In some cases,
enhancements and new features might be backported from newer versions
too if they are not introducing any compatibility problems (for
example this is often done for kernel package in RHEL to support new
hardware). Notice the keyword "backported" that I used. Red Hat does
not use new version of the source code. They just reimplement fixes
into the old version as a series of patches. If you look into the
SRPM packages, you'll see that they contain original unchanged source
code wich is the same version as the package version, and also bunch
of patches (security and bug fixes) that get applied to that source
code prior to compilation.
More information about the redhat-list
mailing list