Red Hat Bugzilla – Bug 69634
RFE: Introduce OpenSSL 0.96g (and replace RH version numbering)
Last modified: 2007-04-18 12:44:25 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721
Description of problem:
According to :
OpenSSL 0.9.6d is the latest stable.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Check out Rawhide
Actual Results: Saw OpenSSL 0.9.6b
Expected Results: Expect OpenSSL 0.9.6d
the current version is now 0.96e. And this applies to rawhide as well. Why is this package being negelected?
Not only is this package behind it also is several security bugfixes old.
Please update to 0.96e!
> From: Ben Laurie <email@example.com>
> To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>,
> Apache SSL <firstname.lastname@example.org>
> Subject: OpenSSL worm in the wild
> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
AFAIK, Red Hat's OpenSSL 0.9.6b has the security fixes from 0.9.6e/f backported.
See http://rhn.redhat.com/errata/RHSA-2002-160.html -- I'd be surprised if Red
Hat dropped those fixes in (null).
Backport not secure enough: My RH7.2 web server with recent openssl RPMS (just
the ones on http://rhn.redhat.com/errata/RHSA-2002-160.html) was hit by the
currently spreading SSL worm, contradicting the claim of RedHat that the
bugfixes were implemented in the RedHat openssl RPMS! 0.9.6f should be used
Note if you hadn't restarted your web server since installing the update, you
will still have been using the old version (see
which recommends a complete reboot). Also the apache logs of a successful
attempt and a failed attempt are somewhat similar. If the OpenSSL error line
contains the string 1406B458 I believe you are okay.
Indeed I thought I restarted httpd via its init script. I was wrong, as
log files show. Put the blame on me. Sorry!
Just an idea for Red Hat to think about :
Would it be wise to just introduce OpenSSL 0.9.6g in Rawhide and apply
any Red Hat patches to that version (instead of keeping an older OpenSSL
version and applying all the security diff's and Red Hat fixes to that).
Thus we don't get a version of OpenSSL in Red Hat called openssl-0.9.6b-30,
which only confuses people which version is included in Red Hat.
0.9.7 is in rawhide now.