On Sat, 2006-09-30 at 13:13 -0600, Michal Jaegermann wrote: > On Sat, Sep 30, 2006 at 10:47:34AM -0700, Florin Andrei wrote: > > > I'd like to generate updated OpenSSL RPM packages for Fedora 4 and > > > hopefully post it to Fedora Legacy > > At least for openssl-0.9.7f this is already done and I posted > where to find it (ftp://ftp.harddata.com/pub/Legacy_srpms/). Actually, I was able to rebuild the src.rpm from that location on a FC4 system, but I had issues when trying to install the binary due to conflicts between 32 bit and 64 bit OpenSSL packages (it's an AMD64 machine). It's probably trivial to work around, but I've little experience with x86_64 distributions. > > The correct way to patch > > the recent openssl CVEs is to add the patches from RHEL4 srpm > > That source rpm available above was done by adding to > openssl-0.9.7f-7.10.src.rpm later patches from RHEL4. Awesome. > > (however the current CVE-2006-2940 patch is broken because the > > 'goto err;' in dh_key patch must be replaced with 'return -1;'). > > You mean on line 185 in a patched crypto/dh/dh_key.c? Looking at > this code you are definitely right. So, if your packages include the bug, could you post a fixed version please? > The other way to fix it would > be to explicitely initialize ctx to NULL due to a way in which > BN_CTX_end() and BN_CTX_free() operate. But in such case probably > all released updates for RHEL and FC5 and rawhide are affected too > even if compiled binaries do pass through a series of checks. Is > there any bugzilla report for that? I don't know. -- Florin Andrei http://florin.myip.org/ -- fedora-legacy-list mailing list fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list