On 07/26/2011 09:33 AM, Paul Reilly wrote:
Is there a RedHat article which explains which RPM openssl packages
correspond to which OpenSSL open source versions, and which patches are
included?
For example, on my Red Hat Enterprise Linux Server release 5.6 I have this
openssl package installed:
openssl-0.9.8e-12.el5_5.7
But 0.9.8e is a vulnerable version of OpenSSL.
How do I know what patches are included in the -12 release from redhat?
Thanks,
Paul
You can get some info from the changelog for the package.
rpm -q --changelog openssl|less
* Mon Jun 29 2009 Tomas Mraz <[email protected]> 0.9.8e-12
- abort if selftests failed and random number generator is polled
- mention EVP_aes and EVP_sha2xx routines in the manpages
- add README.FIPS
* Thu May 21 2009 Tomas Mraz <[email protected]> 0.9.8e-10
- fix CVE-2009-1386 CVE-2009-1387 (DTLS DoS problems)
(#503685, #503688)
<snip>
So, -10 fixed the CVEs listed and has bugzilla.redhat.com ticket numbers
503685 and 503688.
You can also look at the errata notice for openssl in RHN if you search
by package name.
Finally, you can download the source rpm and check the SOURCE for a list
of patches.
Hugh
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
