Why does it take so long for new (gimp, kernels, openoffice) packages to reach the stable repo ?

Kevin Kofler kevin.kofler at chello.at
Fri Oct 17 23:12:41 UTC 2008


Rick Stevens <ricks <at> nerd.com> writes:
> you really need to run 0.9.8h or 0.9.8i because of security issues.

No you don't. The only security advisory released after 0.9.8g is this:
http://www.openssl.org/news/secadv_20080528.txt
(There's another one on their site, but that's for openssl-fips, not openssl 
itself. That's a separate tarball which is not shipped in Fedora at all.)
The security issues this fixes are CVE-2008-0891 and CVE-2008-1672. They are 
fixed for Fedora 9 in openssl-0.9.8g-9.fc9:
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01029.html
The old versions of OpenSSL in Fedora 8 are not affected by either of those 
vulnerabilities (they were both introduced only in 0.9.8f), that's why no 
security update for Fedora 8 or RHEL/CentOS has been issued.

Don't believe the version numbers alone. Red Hat often backports security 
fixes, especially for RHEL, but also for Fedora in cases like OpenSSL where 
every new version is incompatible with the previous ones. You can trust the Red 
Hat and Fedora security teams to know what they are doing and to issue security 
updates where appropriate.

        Kevin Kofler




More information about the fedora-list mailing list