From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721 Description of problem: According to : http://www.openssl.org/source/ OpenSSL 0.9.6d is the latest stable. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Check out Rawhide 2. 3. Actual Results: Saw OpenSSL 0.9.6b Expected Results: Expect OpenSSL 0.9.6d Additional info:
the current version is now 0.96e. And this applies to rawhide as well. Why is this package being negelected?
Not only is this package behind it also is several security bugfixes old. Please update to 0.96e! > From: Ben Laurie <ben.uk> > To: Bugtraq <BUGTRAQ>, > Apache SSL <apache-ssl.co.uk> > Subject: OpenSSL worm in the wild > > I have now seen a worm for the OpenSSL problems I reported a few weeks > back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should > be _seriously worried_. > > It appears to be exclusively targeted at Linux systems, but I wouldn't > count on variants for other systems not existing. > > Cheers, > Ben > Cheers, Tim
AFAIK, Red Hat's OpenSSL 0.9.6b has the security fixes from 0.9.6e/f backported. See http://rhn.redhat.com/errata/RHSA-2002-160.html -- I'd be surprised if Red Hat dropped those fixes in (null).
Backport not secure enough: My RH7.2 web server with recent openssl RPMS (just the ones on http://rhn.redhat.com/errata/RHSA-2002-160.html) was hit by the currently spreading SSL worm, contradicting the claim of RedHat that the bugfixes were implemented in the RedHat openssl RPMS! 0.9.6f should be used instead!
Note if you hadn't restarted your web server since installing the update, you will still have been using the old version (see http://www.redhat.com/support/alerts/linux_slapper_worm.html which recommends a complete reboot). Also the apache logs of a successful attempt and a failed attempt are somewhat similar. If the OpenSSL error line contains the string 1406B458 I believe you are okay.
Indeed I thought I restarted httpd via its init script. I was wrong, as log files show. Put the blame on me. Sorry!
Just an idea for Red Hat to think about : Would it be wise to just introduce OpenSSL 0.9.6g in Rawhide and apply any Red Hat patches to that version (instead of keeping an older OpenSSL version and applying all the security diff's and Red Hat fixes to that). Thus we don't get a version of OpenSSL in Red Hat called openssl-0.9.6b-30, which only confuses people which version is included in Red Hat.
0.9.7 is in rawhide now.