OpenSSL 0.9.7a seems to be vulnerable (was: Re: LKM Trojan)
James Mckenzie
jjmckenzie51 at earthlink.net
Wed Dec 1 15:09:03 UTC 2004
Scootgirl said:
>Hi Rahul,
>I used that tool and it said everything on my system was OK except the
>following:
>[16:55:09] Scanning OpenSSL...
>[16:55:09] /usr/bin/openssl found
>[16:55:09] Version 0.9.7a seems to be vulnerable (if unpatched)!
This is a very old version of OpenSSL 0.9.7 and has a known vulnerability, which was confirmed at the OpenSSL (www.openssl.org) web page. OpenSSL 0.9.7 is now up to version 0.9.7e, released two weeks before FC3 was released. I think that FC3 should have at least OpenSSL 0.9.7d. Depending on how you installed FC/RH you can just download the source code and build OpenSSL.
>I wonder if this is a false positive since I use the up2date tool
>frequently. If not, where can I get this patch?
Depending on which release you have, you might not get the latest and greatest release/updates. That is why I tend to visit most of the sites that directly support additional software for my system on a semi-regular basis. I will check my system to see which version of OpenSSL is installed, and if necessary, update it. If I get the time, I may build an .rpm for OpenSSL and send it to the Extras site when it comes up.
James McKenzie
A Proud User of Linux!
More information about the fedora-list
mailing list