Paul: >FC3 is using the following RPM: > >$ rpm -q openssl >openssl-0.9.7a-40 > >An examination of the changelog for this RPM shows that patches for various >security vulnerabilities affecting openssl 0.9.7a have been included in this >version: > >$ rpm -q --changelog openssl >... (snip) >* Thu Mar 25 2004 Joe Orton <jorton@xxxxxxxxxx> 0.9.7a-35 > >- add security fixes for CAN-2004-0079, CAN-2004-0112 >... (snip) > >Moral of story: don't trust version numbers of packages. You are correct. However there were two security releases after this update. I still lean towards installing OpenSSL 0.9.7e directly from the OpenSSL web site. However, there may be a further release through the FC Updates site. In order to properly install the direct download, I would have to rpm -e (or yum remove) the installed rpm from FC and then install (and hope I don't break anything) the OpenSSL code. This is an "advantage" of living on the "Bleeding Edge". James McKenzie A Proud User of Linux!
