[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Redhat and OpenSSL Manner



Quoting Vahric MUHTARYAN <vahric doruk net tr>:

Hello ,

We are scanning our web servers for vulnerability but I have a problem on one thing. I red that redhat never change version of openssl but it's updating . it just only add additional numbers behind of packet. like below but I don't know is this version equal to 0.9.7l or 0.9.8d . Anybody have knowledge about it ?

openssl-0.9.7a-43.14

It's equivalent to 0.9.7a as originally distributed by OpenSSL project, with security and bug fixes added to it by Red Hat. The package is always built from version of source it is claiming to be, with security and bug patches applied to it.

The rule of thumb is, the version is always what it says it is. With security and bug fixes backported from newer versions. In some cases, enhancements and new features might be backported from newer versions too if they are not introducing any compatibility problems (for example this is often done for kernel package in RHEL to support new hardware). Notice the keyword "backported" that I used. Red Hat does not use new version of the source code. They just reimplement fixes into the old version as a series of patches. If you look into the SRPM packages, you'll see that they contain original unchanged source code wich is the same version as the package version, and also bunch of patches (security and bug fixes) that get applied to that source code prior to compilation.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]