Scootgirl said:
Hi Rahul,
I used that tool and it said everything on my system was OK except the following:
[16:55:09] Scanning OpenSSL... [16:55:09] /usr/bin/openssl found [16:55:09] Version 0.9.7a seems to be vulnerable (if unpatched)!
This is a very old version of OpenSSL 0.9.7 and has a known vulnerability, which was confirmed at the OpenSSL (www.openssl.org) web page. OpenSSL 0.9.7 is now up to version 0.9.7e, released two weeks before FC3 was released. I think that FC3 should have at least OpenSSL 0.9.7d. Depending on how you installed FC/RH you can just download the source code and build OpenSSL.
I wonder if this is a false positive since I use the up2date tool frequently. If not, where can I get this patch?
Depending on which release you have, you might not get the latest and greatest release/updates. That is why I tend to visit most of the sites that directly support additional software for my system on a semi-regular basis. I will check my system to see which version of OpenSSL is installed, and if necessary, update it. If I get the time, I may build an .rpm for OpenSSL and send it to the Extras site when it comes up.
FC3 is using the following RPM:
$ rpm -q openssl openssl-0.9.7a-40
An examination of the changelog for this RPM shows that patches for various security vulnerabilities affecting openssl 0.9.7a have been included in this version:
$ rpm -q --changelog openssl ... (snip) * Thu Mar 25 2004 Joe Orton <jorton@xxxxxxxxxx> 0.9.7a-35
- add security fixes for CAN-2004-0079, CAN-2004-0112 ... (snip)
Moral of story: don't trust version numbers of packages.
Paul.
