On Mon, 19 Jul 2004 08:37:23 -0400 (EDT), William Hooper <whooperhsd3@xxxxxxxxxxxxx> wrote: > > Charles Heselton said: > [snip] > > But I'd like to update the package to fix the security hole. > > What security hole? Please provide specifics (for example a CVE number). > > A quick look at cve.mitre.org only shows one open canidate for OpenSSL, CAN-2004-0607 (which hasn't been fixed by OpenSSL yet). Besides that, they have all been fixed since March. > > If you are just using version numbers to make a comparison, you really should read http://www.redhat.com/advice/speaks_backport.html > > -- > William Hooper > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > While it's entirely possible that I'm just getting confused on version number between OpenSSL and OpenSSH, these are the CVE #'s that I was looking to update: CAN-2004-0079 - Null-pointer assignment during SSL handshake CAN-2004-0112 - Out-of-bounds read affects Kerberos ciphersuites CAN-2004-00811- OpenSSL 0.9.6 before 0.9.6d infinite loop vulnerability The resolution we chose at work was to upgrade to 0.9.7d. I was looking to do the same for my FC2 box at home. -- Charlie Heselton Network Security Engineer
