On Jan 28, 2010, at 9:15 PM, P. Larry Nelson wrote:
> Hi Troy,
>
> Troy Dawson wrote on 1/28/2010 1:55 PM:
>> P. Larry Nelson wrote:
>>> Hi,
>>>
>>> I just received a "HIGH criticality" email from
>>> [log in to unmask] stating:
>>>
>>> "Do NOT upgrade to OpenSSL 1.x. The new OpenSSL version breaks the
>>> certificate authentication for OSG/VDT."
>>>
>>> Not having my ear to the ground vis-a-vis openssl, does anyone know if
>>> that version is due to be released soon? Will it come from TUV or
>>> directly from openssl.org? (Troy/Connie question)
>>>
>>> Right now, we have openssl-0.9.8e-12.el5_4.1.
>>>
>>> I suppose the thing to do is to go and edit the yum.cron.excludes on
>>> all our OSG nodes to block openssl* until this issue is fixed. [sigh...]
>>>
>>> - Larry
>>>
>>
>> Scientific Linux, and RHEL are enterprise linux distributions.
>> This means that they do *not* just update to the latest versions of
>> packages. RedHat and SL will *not* just update to the latest version of
>> openssl, just because it was released.
>>
>> SL 4.0 had openssl 0.9.7a
>> SL 4.8 has openssl 0.9.7a
>>
>> Thas is after five years, we still have the same version of openssl.
>> RedHat backports all the security fixes into the 0.9.7a version for
>> RHEL4 (and hense SL4).
>>
>> SL 5.0 had openssl 0.9.8b
>> SL 5.4 has openssl 0.9.8e
Even SL6 won't have openssl 1. It was only added after FC12 that SL6 will eventually be based on.
Steve
>>
>> After 3 years, SL5 is still at version 0.9.8, although we have moved
>> from b to e.
>> I cannot say for 100% certain, because we are not RedHat. But according
>> to all their policies, goals, statements and past history, they are not
>> going to move openssl above version 0.9.8 for RHEL 5 (and hense SL5)
>>
>> Troy
>
> Thanks for the info and history lesson. I didn't know and didn't want
> to assume. As far as I knew, openssl 1.x might have been a big hairy
> deal security fix that was imminent.
>
> - Larry
>
> --
> P. Larry Nelson (217-244-9855) | Systems/Network Administrator
> 461 Loomis Lab | High Energy Physics Group
> 1110 W. Green St., Urbana, IL | Physics Dept., Univ. of Ill.
> MailTo:[log in to unmask] | http://www.roadkill.com/lnelson/
> -------------------------------------------------------------------
> "Information without accountability is just noise." - P.L. Nelson
|