On Sat, Sep 30, 2006 at 10:47:34AM -0700, Florin Andrei wrote: > On Fri, 2006-09-29 at 15:08 -0400, Matthew Miller wrote: > > Anything? > > >From Thomas Mraz (quoted without asking for permission but hopefully > that's ok): > > > I'd like to generate updated OpenSSL RPM packages for Fedora 4 and > > hopefully post it to Fedora Legacy At least for openssl-0.9.7f this is already done and I posted where to find it (ftp://ftp.harddata.com/pub/Legacy_srpms/). > The correct way to patch > the recent openssl CVEs is to add the patches from RHEL4 srpm That source rpm available above was done by adding to openssl-0.9.7f-7.10.src.rpm later patches from RHEL4. FC4 also supplied openssl097a-0.9.7a-3.1.src.rpm, for back compatibility, but none of installations I have handy was using that so I did not bother. Likely the same work is needed for openssl097a too. It should be "automatic" or nearly so. > (however the current CVE-2006-2940 patch is broken because the > 'goto err;' in dh_key patch must be replaced with 'return -1;'). You mean on line 185 in a patched crypto/dh/dh_key.c? Looking at this code you are definitely right. The other way to fix it would be to explicitely initialize ctx to NULL due to a way in which BN_CTX_end() and BN_CTX_free() operate. But in such case probably all released updates for RHEL and FC5 and rawhide are affected too even if compiled binaries do pass through a series of checks. Is there any bugzilla report for that? In any case fixing that seems quite trivial. Michal -- fedora-legacy-list mailing list fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
