Hi there Iused a patched openssl for opensuse 12.2 in the repo http://"http://download.opensuse.org...SUSE_Factory/" : rpm -qp --changelog http://download.opensuse.org/reposit...0.2.x86_64.rpm * Tue Apr 08 2014 dmueller@suse.com - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) I upgraded it and all seems to be okay. J.Karliak. Dne 11.4.2014 09:56, Joachim Schrod napsal(a):
Marcus Meissner writes:
On Thu, Apr 10, 2014 at 10:39:02PM +0200, Joachim Schrod wrote:
On 04/10/14 16:31, Lew Wolfgang wrote:
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install?
Several users on OBS built 1.0.1g. You need to klick on "Show unstable packages" (or similar) at the package search result page.
Download openssl and libopenssl and install it. Don't forget to check if you also have libopenssl1_0_0-32bit installed if you have a 64bit system
... Base:System has the 1.0.1g version.
Hmm, I don't see it at http://download.opensuse.org/repositories/Base:/System/openSUSE_13.1/x86_64/
Anyhow, GP asked for a 12.2 package which isn't there AFAIK. (And I have also some 12.2 VMs that I can't update for organizational reasons and wanted to patch.) Such packages are available in several home repositories. And anybody who doesn't update 12.2 does bad things security-wise anyhow. He or she will have to bite into more bad apples and install from a home repository...
I think we should consider to just push 1.0.1g to 12.3 and 13.1 to reduce confusion. :/
Yes, I think that's a very good idea, from a communication point of view.
heartbleed.com and others tell users to identify their vulnerability by version number. People look at the updated packages and think they're still vulnerable. An update to 1.0.1g would mitigate that.
In addition, when one searches at OBS for openssl, the result page is http://software.opensuse.org/package/openssl. The linked info page for 13.1 official update is about patchinfo 2424 and tells about a patch that has been applied 3 months ago. While a recent version is surely in the repositories, that isn't reflected in that info page, respectively the link on the search result page is wrong. Users searching for updates that are not subscribed to mailing list or at the forums might be led astray by that missing information update.
Cheers, Joachim
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org