Hi Doug,

Doug Olson wrote on 1/28/2010 1:48 PM:
> Hi Larry,
> I am on the OSG security team.  The message also stated
> that no action is required at this point.

The email I got did not say that.  It did say: "We have proposals to fix
this issue and you will be notified when we become compatible with OpenSSL."
So it was not clear that we did not need to take action at this point.

> If you block openssl updates you might miss important updates
> before the v1.x comes out.
> It should be that updated OSG software that can handle openssl 1.x will
> be out before openssl v1.x comes through the OS distribution channels.
> Doug

Thanks for the clarification.  Maybe a followup email to [log in to unmask]
with that explanation might put some nerves at ease.  :-)

- Larry

> On 1/28/2010 11:25 AM, P. Larry Nelson wrote:
>> Hi,
>>
>> I just received a "HIGH criticality" email from
>> [log in to unmask] stating:
>>
>> "Do NOT upgrade to OpenSSL 1.x. The new OpenSSL version breaks the
>> certificate authentication for OSG/VDT."
>>
>> Not having my ear to the ground vis-a-vis openssl, does anyone know if
>> that version is due to be released soon?  Will it come from TUV or
>> directly from openssl.org?  (Troy/Connie question)
>>
>> Right now, we have openssl-0.9.8e-12.el5_4.1.
>>
>> I suppose the thing to do is to go and edit the yum.cron.excludes on
>> all our OSG nodes to block openssl* until this issue is fixed.  [sigh...]
>>
>> - Larry
>>
> 


-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]        | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson