Re: Why does it take so long for new (gimp, kernels, openoffice) packages to reach the stable repo ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Kevin Kofler wrote:

Rick Stevens <ricks <at> nerd.com> writes:

you really need to run 0.9.8h or 0.9.8i because of security issues.


No you don't. The only security advisory released after 0.9.8g is this:
http://www.openssl.org/news/secadv_20080528.txt
(There's another one on their site, but that's for openssl-fips, not openssl itself. That's a separate tarball which is not shipped in Fedora at all.) The security issues this fixes are CVE-2008-0891 and CVE-2008-1672. They are fixed for Fedora 9 in openssl-0.9.8g-9.fc9: 
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01029.html
The old versions of OpenSSL in Fedora 8 are not affected by either of those vulnerabilities (they were both introduced only in 0.9.8f), that's why no security update for Fedora 8 or RHEL/CentOS has been issued.
Don't believe the version numbers alone. Red Hat often backports security fixes, especially for RHEL, but also for Fedora in cases like OpenSSL where every new version is incompatible with the previous ones. You can trust the Red Hat and Fedora security teams to know what they are doing and to issue security updates where appropriate. 

I'm aware of that, but the people who do the penetration testing squawk
anything that's less than 0.9.8h.  Technically it's a false positive,
but it is still in the reports and we have to prove that it's a false
positive each time.  I know what the vulnerabilities are and I've had
discussions with the pentest people, but they won't budge.

Anyway, that's wide of the discussion here.  I was just trying to show
why it takes a while for new versions of things to get stuffed into the
update cycle and one example of how (and why) I have to go around it.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- "People tell me I look at the dark side.  That's not true.  I have -
-   the heart of a small boy......in a jar right here on my desk."   -
-                                                    -- Stephen King -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux