From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607 Description of problem: There exists a buffer overflow bug in all versions of OpenSSL < 0.9.6e which affects (among other things) Apache server using mod_ssl. For details, please see the URL http://online.securityfocus.com/bid/5363 which describes the problem in more detail than I could... Version-Release number of selected component (if applicable): ALL How reproducible: Always Steps to Reproduce: 1. N/A 2. 3. Actual Results: N/A Expected Results: N/A Additional info: I realize that a large part of the problem is that the OpenSSL team keeps breaking binary compatibility without updating the version number (besides a silly letter at the end), but you guys aren't really doing a very good job of keeping up with OpenSSL updates, and now we have a serious problem. Because you have decided to work around the version problem by bumping up the version number on the shared library, it is now also virtually impossible for administrators to update OpenSSL on our own without having to recompile a whole bunch of other programs. You have created a fictional shared library which is incompatible with the way the rest of the world manages dependencies upon OpenSSL, which is and should be still at libcrypto.0, et. al. This problem manifests itself in other ways, too; i.e. Apache 2.0 depends upon OpenSSL 0.9.6e or greater, so it's a great deal of work to get it working on Red Hat, for the same reasons as above. I understand (at least partially) the difficulties, but I really think you need to find a better way to work around the versioning issues. Though actually, if you have a document somewhere that addresses the problem in detail, especially if it has a sensible work-around to these problems, I'd certainly like to know about that. Thanks!
We fixed the OpenSSL vulnerabilities by backporting the security fixes, see http://rhn.redhat.com/errata/RHSA-2002-155.html and http://rhn.redhat.com/errata/RHSA-2002-160.html > Apache 2.0 depends upon OpenSSL 0.9.6e or greater This was actually a mistake by the Apache group made in a commit at the last minute of a release without the consequences being thought through. The next Apache 2.0 release simply warns about the OpenSSL version number.