As I understand it OpenSSL v 0.9.7a and OpenSSH v 3.6.1p2 used in FC2 have had vulnerabilities for quite some time, as per the following advisories:
(http://www.openssl.org/news/secadv_20040317.txt)
This references the following vulnerabilities:
CAN-2004-0079 CAN-2004-0112
Fixes for these issues are already included in the FC2 openssl RPMs:
$ rpm -q --changelog openssl | head -3 * Thu Mar 25 2004 Joe Orton <jorton@xxxxxxxxxx> 0.9.7a-35
- add security fixes for CAN-2004-0079, CAN-2004-0112
(http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:090)
This references the following vulnerability:
CAN-2003-0693
A look at the changelog for openssh reveals that this was fixed in the 3.6.1p2-11 openssh package way back in September 2003.
My question is: are these vulnerabilities serious enough so that said libraries need to be updated, which leads to next question, as to where to find these updates (as there are presently none) on the FC2 updates mirror sites, in order to perform updates via "yum" for example?
TIA, and please forgive my ignorance if thats the case :)
You really can't read too much into version numbers for distributors' packages for security-related software. Fixes are often backported to earlier versions for stability reasons.
Regards, Paul.
