Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[O Plameras]

David Gillies wrote:


Check what the release version of the openssl rpm is. It should be the
same release version as this (7.10)

$ rpm -qi openssl
Name: openssl  Relocations: (not relocatable)
Version : 0.9.7fVendor: Red Hat, Inc.
Release : 7.10  Build Date: Wed 12 Oct 2005
20:22:50 EST
Install Date: Mon 31 Oct 2005 16:15:59 EST  Build Host:
hs20-bc1-1.build.redhat.com
Group   : System Environment/Libraries   Source RPM:
openssl-0.9.7f-7.10.src.rpm
Size: 2961095  License: BSDish
Signature   : DSA/SHA1, Fri 14 Oct 2005 13:06:59 EST, Key ID
b44269d04f2a6fd2
Packager: Red Hat, Inc. 
URL : http://www.openssl.org/
Summary : The OpenSSL toolkit.
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and protocols.

  

One poster has suggested this: ([EMAIL PROTECTED])

rpm --changelog -q openssl

And I got this precise information:

* Thu Oct 13 2005 Tomas Mraz <[EMAIL PROTECTED]> 0.9.7f-7.10
- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
 disables the countermeasure against man in the middle attack in SSLv2
 (#169863)
- more fixes for constant time/memory access for DSA signature algorithm
- updated ICA engine patch
- ca-bundle.crt should be config(noreplace)
- add *.so.soversion as symlinks in /lib (#165264)
- remove unpackaged symlinks (#159595)
- fixes from upstream (bn assembler div on ppc arch,
 initialize memory on realloc)



O Plameras





--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[Howard Lowndes]

O Plameras wrote:

David Gillies wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
 


David Gillies wrote:

   


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
 

 


I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
not worth my effort  chasing rainbows.
   


openssl in FC4 is patched as openssl 0.9.7f   


Was patched in openssl-0.9.7h.




And was then backported to 0.9.7f-7.10 in FC4.


This is definitely what is in my repository - as of Oct 14




Sorry, I don't get this backported version in FC4 or FC3. My auto-update 
using
yum does not pick this up. I still have openssl-0.9.7f in all  my FC3 
and FC4.


I'll check my repos why this is the case.

O Plameras



--
Howard.
LANNet Computing Associates - Your Linux people 
When you want a computer system that works, just choose Linux;
When you want a computer system that works, just, choose Microsoft.
--
Flatter government, not fatter government; abolish the Australian states.

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[David Gillies]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
> David Gillies wrote:
> 
>>O Plameras wrote:
>>  
>>>David Gillies wrote:
>>>
O Plameras wrote:
>I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
>packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
>not worth my effort  chasing rainbows.
>

openssl in FC4 is patched as openssl 0.9.7f 
>>>
>>>Was patched in openssl-0.9.7h.
>>>
>>
>>And was then backported to 0.9.7f-7.10 in FC4.
> 
> Sorry, I don't get this backported version in FC4 or FC3. My auto-update 
> using
> yum does not pick this up. I still have openssl-0.9.7f in all  my FC3 
> and FC4.

Check what the release version of the openssl rpm is. It should be the
same release version as this (7.10)

$ rpm -qi openssl
Name: openssl  Relocations: (not relocatable)
Version : 0.9.7fVendor: Red Hat, Inc.
Release : 7.10  Build Date: Wed 12 Oct 2005
20:22:50 EST
Install Date: Mon 31 Oct 2005 16:15:59 EST  Build Host:
hs20-bc1-1.build.redhat.com
Group   : System Environment/Libraries   Source RPM:
openssl-0.9.7f-7.10.src.rpm
Size: 2961095  License: BSDish
Signature   : DSA/SHA1, Fri 14 Oct 2005 13:06:59 EST, Key ID
b44269d04f2a6fd2
Packager: Red Hat, Inc. 
URL : http://www.openssl.org/
Summary : The OpenSSL toolkit.
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and protocols.

- --
dave.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEIMsehPPdWeHRgaoRAqisAJ954ByKdrhoVpj8sg/uGQ4ceD2pPQCg0sxM
RbhbMDTpO+BSnmGiawfDXJ0=
=dd6N
-END PGP SIGNATURE-
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[O Plameras]

Norman Gaywood wrote:

On Wed, Mar 22, 2006 at 02:31:34PM +1100, O Plameras wrote:
  

David Gillies wrote:


O Plameras wrote:
  

I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
not worth my effort  chasing rainbows.

openssl in FC4 is patched as openssl 0.9.7f 
  

Was patched in openssl-0.9.7h.



openssl 0.9.7f is the base for FC4. Many upstream patches are applied to
that. To see what:

rpm --changelog -q openssl
  


You're spot on here.

Thanks.

O Plameras

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[CaT]

On Wed, Mar 22, 2006 at 02:42:06PM +1100, O Plameras wrote:
> >>>openssl in FC4 is patched as openssl 0.9.7f 
> >>>  
> >>Was patched in openssl-0.9.7h.
> >
> >And was then backported to 0.9.7f-7.10 in FC4.
> 
> Sorry, I don't get this backported version in FC4 or FC3. My auto-update 
> using
> yum does not pick this up. I still have openssl-0.9.7f in all  my FC3 
> and FC4.
> 
> I'll check my repos why this is the case.

It means that the patch fixing the issue was taken out of the latest
version and applied to the version available in FC4 so as to keep it as
stable as possible.

You may wish to RTFM for more info:

http://www.redhat.com/archives/fedora-announce-list/2005-October/msg00043.html

http://72.14.203.104/search?q=cache:M-u2kkoUFiUJ:www.redhat.com/archives/fedora-announce-list/2005-October/msg00043.html

;)

-- 
"To the extent that we overreact, we proffer the terrorists the
greatest tribute."
- High Court Judge Michael Kirby
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[Norman Gaywood]

On Wed, Mar 22, 2006 at 02:31:34PM +1100, O Plameras wrote:
> David Gillies wrote:
> >O Plameras wrote:
> >>I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
> >>packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
> >>not worth my effort  chasing rainbows.
> >
> >openssl in FC4 is patched as openssl 0.9.7f 
> 
> Was patched in openssl-0.9.7h.

openssl 0.9.7f is the base for FC4. Many upstream patches are applied to
that. To see what:

rpm --changelog -q openssl

-- 
Norman Gaywood, Systems Administrator
School of Mathematics, Statistics and Computer Science
University of New England, Armidale, NSW 2351, Australia

[EMAIL PROTECTED]Phone: +61 (0)2 6773 2412
http://turing.une.edu.au/~normFax:   +61 (0)2 6773 3312

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[O Plameras]

David Gillies wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
  

David Gillies wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
 

  

I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
not worth my effort  chasing rainbows.
   

openssl in FC4 is patched as openssl 0.9.7f 
  

Was patched in openssl-0.9.7h.



And was then backported to 0.9.7f-7.10 in FC4.


Sorry, I don't get this backported version in FC4 or FC3. My auto-update 
using
yum does not pick this up. I still have openssl-0.9.7f in all  my FC3 
and FC4.


I'll check my repos why this is the case.

O Plameras

--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[David Gillies]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
> David Gillies wrote:
> 
>>-BEGIN PGP SIGNED MESSAGE-
>>Hash: SHA1
>>
>>O Plameras wrote:
>>  
>>
>>>I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
>>>packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
>>>not worth my effort  chasing rainbows.
>>>
>>
>>openssl in FC4 is patched as openssl 0.9.7f 
> 
> 
> Was patched in openssl-0.9.7h.

And was then backported to 0.9.7f-7.10 in FC4.

- --
dave.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEIMelhPPdWeHRgaoRAvjPAKC10F2qxDPsddMO5JNV+agii2brIwCgpnv4
qp01AJvsoS99Q97zE/cxMcA=
=rZ2W
-END PGP SIGNATURE-
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[O Plameras]

David Gillies wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

O Plameras wrote:
  

I tried to install OpenSSL-0.9.8a in FC 4. But there are far too many
packages that rely on OpenSSL-0.9.7f that comes with FC4. It's
not worth my effort  chasing rainbows.



openssl in FC4 is patched as openssl 0.9.7f 


Was patched in openssl-0.9.7h.


(which was released for FC4
when the vulnerability was announced last year) contains the same
security fix as openssl 0.9.8a.

http://www.openssl.org/news/secadv_20051011.txt
http://lwn.net/Alerts/155824/
  


O Plameras
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: openssl & FC4 (was Re: FW: [SLUG] Fedora Core 5)

[James Purser]

> openssl in FC4 is patched as openssl 0.9.7f (which was released for FC4
> when the vulnerability was announced last year) contains the same
> security fix as openssl 0.9.8a.
>
> http://www.openssl.org/news/secadv_20051011.txt
> http://lwn.net/Alerts/155824/

And of course, the really stupid thing is that Redhat/Fedora have been
doing this sort of thing for years. They always futz with the version
numbers, so that what you have on your FC/RH system is usually a mix of
the named version and back ported patches.

This is nothing new people and a reason why you should pay attention to
what your distro releases in terms of security alerts instead of blindly
following the originating projects alerts.

Finally I would just like to add

"Join our LUG, Join our LUG, We're From Sydney, We Get Mugged"
-- 
James Purser
Producer/Presenter - Linux Australia Update
http://k-sit.com - My Blog
http://la-pod.k-sit.com - Linux Australia Update Podcast, Blog and Forums
Skype: purserj1977

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html