On 04/09/14 14:55, Gregory Maxwell wrote: > On Tue, Apr 8, 2014 at 8:46 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: >> On Tue, 2014-04-08 at 18:47 -0700, Gregory Maxwell wrote: >>> On Tue, Apr 8, 2014 at 6:44 PM, Chuck Forsberg WA7KGX <caf@xxxxxxxx> wrote: >>>> According to the announcement, that version is vulnerable. >>>> Of the 1.01 versions, only 1.01g is saf(er). >>> RedHat backported the fix as the openssl in fedroda/rhel is carrying a >>> ton of patches. >>> >>> I expect this is going to cause a lot of confusion. >> I don't see why. Backporting security fixes is standard procedure and >> has been for decades. It would be extremely irresponsible to just shove >> out a new and untested openssl build as a stable update. > Just because it has the attention of less experienced people. I've now > seen confusion about Fedora being fixed in two places. Just a data > point. I don't think that any different behavior is advisable. Of course the more experienced people can assist the less experienced people by pointing out..... [egreshko@meimei azureus]$ rpm -q --changelog openssl | more * Mon Apr 07 2014 Dennis Gilmore <dennis@xxxxxxxx> - 1.0.1e-37.1 - pull in upstream patch for CVE-2014-0160 - removed CHANGES file portion from patch for expediency and clearing up any confusion. -- Getting tired of non-Fedora discussions and self-serving posts -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
