Openssl heartbleed

Ed Greshko ed.greshko at greshko.com
Wed Apr 9 07:05:51 UTC 2014


On 04/09/14 14:55, Gregory Maxwell wrote:
> On Tue, Apr 8, 2014 at 8:46 PM, Adam Williamson <awilliam at redhat.com> wrote:
>> On Tue, 2014-04-08 at 18:47 -0700, Gregory Maxwell wrote:
>>> On Tue, Apr 8, 2014 at 6:44 PM, Chuck Forsberg WA7KGX <caf at omen.com> wrote:
>>>> According to the announcement, that version is vulnerable.
>>>> Of the 1.01 versions, only 1.01g is saf(er).
>>> RedHat backported the fix as the openssl in fedroda/rhel is carrying a
>>> ton of patches.
>>>
>>> I expect this is going to cause a lot of confusion.
>> I don't see why. Backporting security fixes is standard procedure and
>> has been for decades. It would be extremely irresponsible to just shove
>> out a new and untested openssl build as a stable update.
> Just because it has the attention of less experienced people. I've now
> seen confusion about Fedora being fixed in two places. Just a data
> point.  I don't think that any different behavior is advisable.

Of course the more experienced people can assist the less experienced people by pointing out.....

[egreshko at meimei azureus]$ rpm -q --changelog openssl | more
* Mon Apr 07 2014 Dennis Gilmore <dennis at ausil.us> - 1.0.1e-37.1
- pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency

and clearing up any confusion.

-- 
Getting tired of non-Fedora discussions and self-serving posts


More information about the test mailing list