Hi Larry,
I am on the OSG security team.  The message also stated
that no action is required at this point.
If you block openssl updates you might miss important updates
before the v1.x comes out.
It should be that updated OSG software that can handle openssl 1.x will
be out before openssl v1.x comes through the OS distribution channels.
Doug

On 1/28/2010 11:25 AM, P. Larry Nelson wrote:
> Hi,
>
> I just received a "HIGH criticality" email from
> [log in to unmask] stating:
>
> "Do NOT upgrade to OpenSSL 1.x. The new OpenSSL version breaks the
> certificate authentication for OSG/VDT."
>
> Not having my ear to the ground vis-a-vis openssl, does anyone know if
> that version is due to be released soon?  Will it come from TUV or
> directly from openssl.org?  (Troy/Connie question)
>
> Right now, we have openssl-0.9.8e-12.el5_4.1.
>
> I suppose the thing to do is to go and edit the yum.cron.excludes on
> all our OSG nodes to block openssl* until this issue is fixed.  [sigh...]
>
> - Larry
>