I'm running a CentOS 3.4 box. According to yum, the OpenSSL 0.9.7a-33.15 package I have installed is the latest available. A check of the OpenSSL website shows 0.9.7g source being the latest. Is the CentOS 0.9.7a package patched to cover the same isues that the generic 0.9.7 source covers? If not, what's my recourse? Build it by hand? If I need to build it, has anybody crossed that bridge? Thanks. -Pete
Am Fr, den 17.06.2005 schrieb Peter Loron um 1:56:> I'm running a CentOS 3.4 box. According to yum, the OpenSSL 0.9.7a-33.15 > package I have installed is the latest available. A check of the OpenSSL > website shows 0.9.7g source being the latest. > > Is the CentOS 0.9.7a package patched to cover the same isues that the > generic 0.9.7 source covers?> -PeteThe "33.15" indicates the patchlevel of the OpenSSL package. Yes, Red Hat backports [1] fixes for issues. You can check the rpm --changelog for CAN numbers and comments. With other words, you don't need to get the upstream version to be on the safe side. [1] http://www.redhat.com/advice/speaks_backport.html Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.27_FC2smp Serendipity 02:05:42 up 24 days, 43 users, load average: 0.37, 0.25, 0.20 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: <http://lists.centos.org/pipermail/centos/attachments/20050617/1d6181c2/attachment-0003.sig>
On Thu, 2005-06-16 at 16:56 -0700, Peter Loron wrote:> I'm running a CentOS 3.4 box. According to yum, the OpenSSL 0.9.7a-33.15 > package I have installed is the latest available. A check of the OpenSSL > website shows 0.9.7g source being the latest. > > Is the CentOS 0.9.7a package patched to cover the same isues that the > generic 0.9.7 source covers? > > If not, what's my recourse? Build it by hand? If I need to build it, has > anybody crossed that bridge? >Read this concerning backporting: http://www.redhat.com/advice/speaks_backport.html If you have a specific CAN number you are concerned about, do this: rpm --changelog -q openssl | grep CAN-xxxx (or just grep CAN to see all security issues) RedHat is very proactive at doing security updates...and CentOS is very quick to push them as soon as RedHat does. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20050616/a728a36e/attachment-0003.sig>
Johnny Hughes wrote:> On Thu, 2005-06-16 at 16:56 -0700, Peter Loron wrote: > >>I'm running a CentOS 3.4 box. According to yum, the OpenSSL 0.9.7a-33.15 >>package I have installed is the latest available. A check of the OpenSSL >>website shows 0.9.7g source being the latest. >> >>Is the CentOS 0.9.7a package patched to cover the same isues that the >>generic 0.9.7 source covers? >> >>If not, what's my recourse? Build it by hand? If I need to build it, has >>anybody crossed that bridge? >> > > > Read this concerning backporting: > > http://www.redhat.com/advice/speaks_backport.html > > If you have a specific CAN number you are concerned about, do this: > > rpm --changelog -q openssl | grep CAN-xxxx > > (or just grep CAN to see all security issues) > > RedHat is very proactive at doing security updates...and CentOS is very > quick to push them as soon as RedHat does.Excellent! Thanks for the info on how to check for backports. -Pete