![](https://seccdn.libravatar.org/avatar/d5b1c1352f415437950c9794023f09f2.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 16 January 2003 10:17 am, Daniel Bye wrote:
I'm trying to build postfix/TLS, and want to upgrade to a more recent version of OpenSSL (I recall from a few weeks ago, a report from CERT, CA-2002-23, advising users of OpenSSL to upgrade to 0.9.6e or later).
The latest SuSE-provided RPM for 8.0 is not vulnerable.
Remember that SuSE fixes the holes and keeps the version the same. This is to avoid integration issues such as new APIs, different file locations/names, etc.
OK, I didn't know that. Do you know the rationale behind the policy? It must prove very confusing to those who don't know about it.
Blindly upgrading versions is not a good thing for production machines. Bugs are often introduced, APIs change, customer software breaks.
So, effectively, the openssl RPM on the update site should install a version more recent than 0.9.6c, even though it still bears the release number 0.9.6c?
No, it's 0.9.6c with the security bugs fixed.
Also, I am reasonably confident the OpenSSL project members take into account the need to support obsoleted API features from release to release, particulalry along the same development branch.
There are a couple of things changed between 0.9.6c and e that affected a number of people who were installing from source, particularly on Red Hat. I highly recommend subscribing to either suse-security or suse-security-announce. You'll get all of the informative security announcements. You'll see that SuSE's security team is the best of the major distros and your mind will be at peace. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Jsjn+FOexA3koIgRAvzZAKCofb+6azFcjgrn2K/D0Xe5nsDtmgCfUm4w /Hi9kQM4Lxi0gkl6IAeWu6w= =XGKG -----END PGP SIGNATURE-----