[CentOS] OpenSSL Update - not a security update???

James Washington james at scholarpack.com
Mon Mar 7 18:14:29 UTC 2016


Hey all,

Sorry to jump in here but out of curiosity, has the patch actually been back ported to earlier versions of OpenSSL regarding the recent DROWN attack? I've checked the RPM change log and nothing's been mentioned relating to CVE-2016-0800 (I think that was the CVE number). Or is this thread not relating to that vulnerability?

Kind regards

James Washington

> On 7 Mar 2016, at 16:34, Johnny Hughes <johnny at centos.org> wrote:
> 
>> On 03/03/2016 02:58 PM, Mark Milhollan wrote:
>>> On Wed, 2 Mar 2016, Johnny Hughes wrote:
>>> On 03/02/2016 10:42 AM, Mark Milhollan wrote:
>> 
>>>> I wish --security was functional
>> 
>>>> I hope that the lack is not due to 
>>>> the assumed use resulting in it being ignored.
>>> 
>>> That is not the reason,
>> 
>>> We do not have enough space on donated mirrors
>> 
>> Surely the data could be tailored to provide only that which applies to 
>> the current set of RPMs.  Do we know that yum will fail if RPMs are 
>> cited in the file but which are not available for install?
> 
> Whose current set .. your's or the guy that hasn't done an update since
> 2007?
> 
> Te problem is, if we say we support the security plugin, then it has to
> be able to update ANY configuration and all security updates.
> 
> Let's say that you are on 6.4 right now, there is a security update in
> 6.5 and 6.6, and there is a bugfix update in 6.7 (current version), you
> run the security plugin and it says .. no security updates (because the
> 6.7 update is only a bugfix).
> 
> You are instead behind and have a security problem .. no, you have to
> have all or it doesn't work, and it then causes people to think they are
> OKwhen they are not.
> 
>> 
>>> the data required for the xml file is not redistributable.
>> 
>> That does sound like it is being ignored, because you know you can't do 
>> it.
>> 
>> As things stand.
>> 
>> (I think you should put all this in an/the FAQ then point people to it, 
>> instead of sending large swaths of the same words yet again, which must 
>> surely be frustrating.)
>> 
>> But the project could lobby Red Hat for access to the file, whether for 
>> just CentOS (RH has done things just for CentOS before) or for the wider 
>> community of rebuilders.  I can't know if this has been attempted, but 
>> it has not been mentioned as having been asked.
> 
> One of the things RHEL does that CentOS doesn't do (and has never done)
> is verify security issues, verify fixes correct those issues and provide
> assurance that they are fixed.  They is why RHEL is a paid product and
> CentOS is free.
> 
> <snip>
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos



More information about the CentOS mailing list