Re: Why does it take so long for new (gimp, kernels, openoffice) packages to reach the stable repo ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Kevin Kofler wrote:

Rick Stevens <ricks <at> nerd.com> writes:

you really need to run 0.9.8h or 0.9.8i because of security issues.


No you don't. The only security advisory released after 0.9.8g is this:
http://www.openssl.org/news/secadv_20080528.txt
(There's another one on their site, but that's for openssl-fips, not openssl itself. That's a separate tarball which is not shipped in Fedora at all.) The security issues this fixes are CVE-2008-0891 and CVE-2008-1672. They are fixed for Fedora 9 in openssl-0.9.8g-9.fc9: 
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01029.html
The old versions of OpenSSL in Fedora 8 are not affected by either of those vulnerabilities (they were both introduced only in 0.9.8f), that's why no security update for Fedora 8 or RHEL/CentOS has been issued.
Don't believe the version numbers alone. Red Hat often backports security fixes, especially for RHEL, but also for Fedora in cases like OpenSSL where every new version is incompatible with the previous ones. You can trust the Red Hat and Fedora security teams to know what they are doing and to issue security updates where appropriate. 

I'm aware of that, but the people who do the penetration testing squawk
anything that's less than 0.9.8h.  Technically it's a false positive,
but it is still in the reports and we have to prove that it's a false
positive each time.  I know what the vulnerabilities are and I've had
discussions with the pentest people, but they won't budge.

Anyway, that's wide of the discussion here.  I was just trying to show
why it takes a while for new versions of things to get stuffed into the
update cycle and one example of how (and why) I have to go around it.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- "People tell me I look at the dark side.  That's not true.  I have -
-   the heart of a small boy......in a jar right here on my desk."   -
-                                                    -- Stephen King -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux