OpenSSL 0.9.7a seems to be vulnerable (was: Re: LKM Trojan)
James Mckenzie
jjmckenzie51 at earthlink.net
Wed Dec 1 16:14:12 UTC 2004
Paul:
>FC3 is using the following RPM:
>
>$ rpm -q openssl
>openssl-0.9.7a-40
>
>An examination of the changelog for this RPM shows that patches for various
>security vulnerabilities affecting openssl 0.9.7a have been included in this
>version:
>
>$ rpm -q --changelog openssl
>... (snip)
>* Thu Mar 25 2004 Joe Orton <jorton at redhat.com> 0.9.7a-35
>
>- add security fixes for CAN-2004-0079, CAN-2004-0112
>... (snip)
>
>Moral of story: don't trust version numbers of packages.
You are correct. However there were two security releases after this update. I still lean towards installing OpenSSL 0.9.7e directly from the OpenSSL web site. However, there may be a further release through the FC Updates site. In order to properly install the direct download, I would have to rpm -e (or yum remove) the installed rpm from FC and then install (and hope I don't break anything) the OpenSSL code. This is an "advantage" of living on the "Bleeding Edge".
James McKenzie
A Proud User of Linux!
More information about the fedora-list
mailing list