El 08/04/14 08:18, Stefan Gofferje escribió:
On 04/08/2014 09:58 AM, Marcus Meissner wrote:
On Tue, Apr 08, 2014 at 08:15:59AM +0300, Stefan Gofferje wrote:
Hi,
any word on when to expect fixed OpenSSL libs for 12.3 and 13.1?
Hopefully today.
There is a fix announced now but it says
libopenssl-devel-32bit-1.0.1e-1.44.1 libopenssl1_0_0-32bit-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-1.44.1
1.0.1e... According to the original CVE, 1.0.1e in still vulnerable: [snip] Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. [snap] (https://www.openssl.org/news/secadv_20140407.txt)
@Marcus: Was the team to quick quickfixing?
The distribution usually fixes this kind of problems with a source code backport instead of version update, in the particular case of 13.1 , upgrading the openSSL version should be fine though as there is no ABI change in-between. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org