OpenSSL and OpenSSH vulnerabilities

Paul Howarth paul at
Tue Oct 12 12:50:59 UTC 2004

Joseph Suarez wrote:
> As I understand it OpenSSL v 0.9.7a and OpenSSH v 3.6.1p2 used in FC2 
> have had vulnerabilities for quite some time, as per the following 
> advisories:
> (

This references the following vulnerabilities:


Fixes for these issues are already included in the FC2 openssl RPMs:

$ rpm -q --changelog openssl | head -3
* Thu Mar 25 2004 Joe Orton <jorton at> 0.9.7a-35

- add security fixes for CAN-2004-0079, CAN-2004-0112

> (

This references the following vulnerability:


A look at the changelog for openssh reveals that this was fixed in the 
3.6.1p2-11 openssh package way back in September 2003.

> My question is: are these vulnerabilities serious enough so that said 
> libraries need to be updated, which leads to next question, as to where 
> to find these updates (as there are presently none)  on the FC2 updates 
> mirror sites, in order to perform updates via "yum" for example?
> TIA, and please forgive my ignorance if thats the case :)

You really can't read too much into version numbers for distributors' packages 
for security-related software. Fixes are often backported to earlier versions 
for stability reasons.

Regards, Paul.

More information about the users mailing list