Openssl heartbleed
Gregory Maxwell
gmaxwell at gmail.com
Wed Apr 9 06:55:25 UTC 2014
On Tue, Apr 8, 2014 at 8:46 PM, Adam Williamson <awilliam at redhat.com> wrote:
> On Tue, 2014-04-08 at 18:47 -0700, Gregory Maxwell wrote:
>> On Tue, Apr 8, 2014 at 6:44 PM, Chuck Forsberg WA7KGX <caf at omen.com> wrote:
>> > According to the announcement, that version is vulnerable.
>> > Of the 1.01 versions, only 1.01g is saf(er).
>>
>> RedHat backported the fix as the openssl in fedroda/rhel is carrying a
>> ton of patches.
>>
>> I expect this is going to cause a lot of confusion.
>
> I don't see why. Backporting security fixes is standard procedure and
> has been for decades. It would be extremely irresponsible to just shove
> out a new and untested openssl build as a stable update.
Just because it has the attention of less experienced people. I've now
seen confusion about Fedora being fixed in two places. Just a data
point. I don't think that any different behavior is advisable.
More information about the test
mailing list