LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2010

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OpenSSL 1.x
From:	"P. Larry Nelson" <[log in to unmask]>
Reply To:	P. Larry Nelson
Date:	Thu, 28 Jan 2010 14:15:42 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

Hi Troy,

Troy Dawson wrote on 1/28/2010 1:55 PM:
> P. Larry Nelson wrote:
>> Hi,
>>
>> I just received a "HIGH criticality" email from
>> [log in to unmask] stating:
>>
>> "Do NOT upgrade to OpenSSL 1.x. The new OpenSSL version breaks the
>> certificate authentication for OSG/VDT."
>>
>> Not having my ear to the ground vis-a-vis openssl, does anyone know if
>> that version is due to be released soon?  Will it come from TUV or
>> directly from openssl.org?  (Troy/Connie question)
>>
>> Right now, we have openssl-0.9.8e-12.el5_4.1.
>>
>> I suppose the thing to do is to go and edit the yum.cron.excludes on
>> all our OSG nodes to block openssl* until this issue is fixed.  [sigh...]
>>
>> - Larry
>>
> 
> Scientific Linux, and RHEL are enterprise linux distributions.
> This means that they do *not* just update to the latest versions of 
> packages.  RedHat and SL will *not* just update to the latest version of 
> openssl, just because it was released.
> 
> SL 4.0 had openssl 0.9.7a
> SL 4.8 has openssl 0.9.7a
> 
> Thas is after five years, we still have the same version of openssl.
> RedHat backports all the security fixes into the 0.9.7a version for 
> RHEL4 (and hense SL4).
> 
> SL 5.0 had openssl 0.9.8b
> SL 5.4 has openssl 0.9.8e
> 
> After 3 years, SL5 is still at version 0.9.8, although we have moved 
> from b to e.
> I cannot say for 100% certain, because we are not RedHat.  But according 
> to all their policies, goals, statements and past history, they are not 
> going to move openssl above version 0.9.8 for RHEL 5 (and hense SL5)
> 
> Troy

Thanks for the info and history lesson.  I didn't know and didn't want
to assume.  As far as I knew, openssl 1.x might have been a big hairy
deal security fix that was imminent.

- Larry

-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]        | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV