Bug 69634 - RFE: Introduce OpenSSL 0.96g (and replace RH version numbering)
Summary: RFE: Introduce OpenSSL 0.96g (and replace RH version numbering)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssl
Version: 8.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-07-23 22:08 UTC by Peter van Egdom
Modified: 2007-04-18 16:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-01-09 22:21:38 UTC
Embargoed:


Attachments (Terms of Use)

Description Peter van Egdom 2002-07-23 22:08:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721

Description of problem:

According to :
http://www.openssl.org/source/

OpenSSL 0.9.6d is the latest stable.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Check out Rawhide
2.
3.
	

Actual Results:  Saw OpenSSL 0.9.6b

Expected Results:  Expect OpenSSL 0.9.6d

Additional info:

Comment 1 Maurice Volaski 2002-08-04 23:03:16 UTC
the current version is now 0.96e. And this applies to rawhide as well. Why is this package being negelected?

Comment 2 Tim Tregubov 2002-09-13 19:57:50 UTC
Not only is this package behind it also is several security bugfixes old.
Please update to 0.96e!  


> From: Ben Laurie <ben.uk>
> To: Bugtraq <BUGTRAQ>,
>   Apache SSL <apache-ssl.co.uk>
> Subject: OpenSSL worm in the wild
>
> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
>
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
>
> Cheers,
> Ben
>


Cheers,
Tim

Comment 3 Barry K. Nathan 2002-09-13 23:30:57 UTC
AFAIK, Red Hat's OpenSSL 0.9.6b has the security fixes from 0.9.6e/f backported.
See http://rhn.redhat.com/errata/RHSA-2002-160.html -- I'd be surprised if Red
Hat dropped those fixes in (null).

Comment 4 Klaus-Dieter Schmidt 2002-09-24 12:59:30 UTC
Backport not secure enough: My RH7.2 web server with recent openssl RPMS (just
the ones on http://rhn.redhat.com/errata/RHSA-2002-160.html) was hit by the
currently spreading SSL worm, contradicting the claim of RedHat that the
bugfixes were implemented in the RedHat openssl RPMS! 0.9.6f should be used
instead!

Comment 5 Michael Young 2002-09-24 16:26:01 UTC
Note if you hadn't restarted your web server since installing the update, you
will still have been using the old version (see
http://www.redhat.com/support/alerts/linux_slapper_worm.html
which recommends a complete reboot). Also the apache logs of a successful
attempt and a failed attempt are somewhat similar. If the OpenSSL error line
contains the string 1406B458 I believe you are okay.

Comment 6 Klaus-Dieter Schmidt 2002-09-25 11:00:11 UTC
Indeed I thought I restarted httpd via its init script. I was wrong, as
log files show. Put the blame on me. Sorry!

Comment 7 Peter van Egdom 2002-10-29 21:09:11 UTC
Just an idea for Red Hat to think about :

Would it be wise to just introduce OpenSSL 0.9.6g in Rawhide and apply
any Red Hat patches to that version (instead of keeping an older OpenSSL
version and applying all the security diff's and Red Hat fixes to that).

Thus we don't get a version of OpenSSL in Red Hat called openssl-0.9.6b-30,
which only confuses people which version is included in Red Hat.

Comment 8 Bill Nottingham 2003-01-09 22:21:38 UTC
0.9.7 is in rawhide now.


Note You need to log in before you can comment on or make changes to this bug.