Rick Stevens <ricks <at> nerd.com> writes: > you really need to run 0.9.8h or 0.9.8i because of security issues. No you don't. The only security advisory released after 0.9.8g is this: http://www.openssl.org/news/secadv_20080528.txt (There's another one on their site, but that's for openssl-fips, not openssl itself. That's a separate tarball which is not shipped in Fedora at all.) The security issues this fixes are CVE-2008-0891 and CVE-2008-1672. They are fixed for Fedora 9 in openssl-0.9.8g-9.fc9: https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01029.html The old versions of OpenSSL in Fedora 8 are not affected by either of those vulnerabilities (they were both introduced only in 0.9.8f), that's why no security update for Fedora 8 or RHEL/CentOS has been issued. Don't believe the version numbers alone. Red Hat often backports security fixes, especially for RHEL, but also for Fedora in cases like OpenSSL where every new version is incompatible with the previous ones. You can trust the Red Hat and Fedora security teams to know what they are doing and to issue security updates where appropriate. Kevin Kofler -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
