Re: Redhat and OpenSSL Manner

Quoting Vahric MUHTARYAN <vahric@xxxxxxxxxxxx>:

Hello ,

We are scanning our web servers for vulnerability but I have a problem on one thing. I red that redhat never change version of openssl but it's updating . it just only add additional numbers behind of packet. like below but I don't know is this version equal to 0.9.7l or 0.9.8d . Anybody have knowledge about it ?

openssl-0.9.7a-43.14

It's equivalent to 0.9.7a as originally distributed by OpenSSL project, with security and bug fixes added to it by Red Hat. The package is always built from version of source it is claiming to be, with security and bug patches applied to it.

The rule of thumb is, the version is always what it says it is. With security and bug fixes backported from newer versions. In some cases, enhancements and new features might be backported from newer versions too if they are not introducing any compatibility problems (for example this is often done for kernel package in RHEL to support new hardware). Notice the keyword "backported" that I used. Red Hat does not use new version of the source code. They just reimplement fixes into the old version as a series of patches. If you look into the SRPM packages, you'll see that they contain original unchanged source code wich is the same version as the package version, and also bunch of patches (security and bug fixes) that get applied to that source code prior to compilation.



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • Re: the safety of gnupg
    ... The most recent flaws found in gnupg were around ... titled "The Myth of Open Source Security." ... more than just the gnupg package. ... whether anyone has published a source code audit of gnupg. ...
    (Fedora)
  • TSLSA-2006-0024 - multi
    ... Trustix Secure Linux Security Advisory #2006-0024 ... Affected versions: Trustix Secure Linux 2.2 ... Package description: ... Mu Security has reported a vulnerability in Cyrus SASL ...
    (Bugtraq)
  • [Full-disclosure] SUSE Security Announcement: openwsman (SUSE-SA:2008:041)
    ... Security Vulnerability Resolved: ... Package Location and Checksums ... SUSE security announcements are published via mailing lists and on Web ... guaranteed by a cryptographic signature in each announcement. ...
    (Full-Disclosure)
  • [Full-disclosure] SUSE Security Announcement: novell-nrm remote heap overflow (SUSE-SA:2
    ... The affected novell-nrm package is only included in the Open Enterprise ... The preferred method for installing security updates on Open Enterprise ... Authenticity Verification and Additional Information ... guaranteed by a cryptographic signature in each announcement. ...
    (Full-Disclosure)
  • SUSE Security Announcement: novell-nrm remote heap overflow (SUSE-SA:2006:002)
    ... The affected novell-nrm package is only included in the Open Enterprise ... The preferred method for installing security updates on Open Enterprise ... Authenticity Verification and Additional Information ... guaranteed by a cryptographic signature in each announcement. ...
    (Bugtraq)