Bug 69634 - RFE: Introduce OpenSSL 0.96g (and replace RH version numbering)
RFE: Introduce OpenSSL 0.96g (and replace RH version numbering)
Product: Red Hat Linux
Classification: Retired
Component: openssl (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2002-07-23 18:08 EDT by Peter van Egdom
Modified: 2007-04-18 12:44 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-01-09 17:21:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter van Egdom 2002-07-23 18:08:43 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721

Description of problem:

According to :

OpenSSL 0.9.6d is the latest stable.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Check out Rawhide

Actual Results:  Saw OpenSSL 0.9.6b

Expected Results:  Expect OpenSSL 0.9.6d

Additional info:
Comment 1 Maurice Volaski 2002-08-04 19:03:16 EDT
the current version is now 0.96e. And this applies to rawhide as well. Why is this package being negelected?
Comment 2 Tim Tregubov 2002-09-13 15:57:50 EDT
Not only is this package behind it also is several security bugfixes old.
Please update to 0.96e!  

> From: Ben Laurie <ben@algroup.co.uk>
>   Apache SSL <apache-ssl@lists.aldigital.co.uk>
> Subject: OpenSSL worm in the wild
> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
> Cheers,
> Ben

Comment 3 Barry K. Nathan 2002-09-13 19:30:57 EDT
AFAIK, Red Hat's OpenSSL 0.9.6b has the security fixes from 0.9.6e/f backported.
See http://rhn.redhat.com/errata/RHSA-2002-160.html -- I'd be surprised if Red
Hat dropped those fixes in (null).
Comment 4 Klaus-Dieter Schmidt 2002-09-24 08:59:30 EDT
Backport not secure enough: My RH7.2 web server with recent openssl RPMS (just
the ones on http://rhn.redhat.com/errata/RHSA-2002-160.html) was hit by the
currently spreading SSL worm, contradicting the claim of RedHat that the
bugfixes were implemented in the RedHat openssl RPMS! 0.9.6f should be used
Comment 5 Michael Young 2002-09-24 12:26:01 EDT
Note if you hadn't restarted your web server since installing the update, you
will still have been using the old version (see
which recommends a complete reboot). Also the apache logs of a successful
attempt and a failed attempt are somewhat similar. If the OpenSSL error line
contains the string 1406B458 I believe you are okay.
Comment 6 Klaus-Dieter Schmidt 2002-09-25 07:00:11 EDT
Indeed I thought I restarted httpd via its init script. I was wrong, as
log files show. Put the blame on me. Sorry!
Comment 7 Peter van Egdom 2002-10-29 16:09:11 EST
Just an idea for Red Hat to think about :

Would it be wise to just introduce OpenSSL 0.9.6g in Rawhide and apply
any Red Hat patches to that version (instead of keeping an older OpenSSL
version and applying all the security diff's and Red Hat fixes to that).

Thus we don't get a version of OpenSSL in Red Hat called openssl-0.9.6b-30,
which only confuses people which version is included in Red Hat.
Comment 8 Bill Nottingham 2003-01-09 17:21:38 EST
0.9.7 is in rawhide now.

Note You need to log in before you can comment on or make changes to this bug.