OpenSSL 0.9.7a seems to be vulnerable (was: Re: LKM Trojan)
William Hooper
whooperhsd3 at earthlink.net
Wed Dec 1 16:29:58 UTC 2004
James Mckenzie said:
>> $ rpm -q --changelog openssl
>> ... (snip)
>> * Thu Mar 25 2004 Joe Orton <jorton at redhat.com> 0.9.7a-35
>>
>>
>> - add security fixes for CAN-2004-0079, CAN-2004-0112
>> ... (snip)
>>
>>
>> Moral of story: don't trust version numbers of packages.
>>
>
> You are correct. However there were two security releases after this
> update.
Not according to the changelog.
http://www.openssl.org/news/changelog.html
> I still lean towards installing OpenSSL 0.9.7e directly from the
> OpenSSL web site. However, there may be a further release through the FC
> Updates site. In order to properly install the direct download, I would
> have to rpm -e (or yum remove) the installed rpm from FC and then install
> (and hope I don't break anything) the OpenSSL code. This is an
> "advantage" of living on the "Bleeding Edge".
Which is your prerogative. Once has to ask, though, if you are going to
break the packaging system, why bother using one in the first place.
--
William Hooper
More information about the fedora-list
mailing list