* Michael D. Schleif (mds@helices.org) [020929 18:28]: ::Ben => :: ::Thank you, for your participation. No, my associate has very little ::idea what he is doing. :: ::# find / | grep lib | grep -i openssl ::/usr/share/doc/packages/openssl-doc/ssl/SSL_library_init.pod ::/var/lib/YaST/patches/i386/update/7.2/patches/openssl-5395.20020929.installed ::/var/lib/YaST/patches/i386/update/7.2/sec1/openssl-0.9.6a-69.i386.rpm ::/var/lib/YaST/patches/i386/update/7.2/d2/openssl-devel-0.9.6a-69.i386.rpm ::/var/lib/YaST/patches/i386/update/7.2/doc3/openssl-doc-0.9.6a-69.i386.rpm :: :: ::# sshd -v ::sshd: illegal option -- v ::sshd version OpenSSH_2.9.9p2 :: :: ::Please, straighten me out . . . If he's updated to the latest pkgs from SuSE's FTP site then you should be good. As I was saying earlier. SuSE patches existing versions of the software as not to break deps by other software on the system. The updated version of SSH for the SLES would be 2.9.9p2 but a patched version..since SLES is based on SuSE 7.0 and that's the same version of OpenSSH. I know it's confusing and I'm not sure I like it, but it's how SuSE does it. It's been a major topic on the SuSE Security list for the -ast few months. ::think we know. The more I know, the more I know I don't know . . . As you can see by the date below. These packages were posted on Aug. 13th which is a month after the major OpenSSL bug that people are still talking about. No matter how many versions of Slapper or what new tools come to exploit the SSL problem. SuSE's patched it...or at least they've patched to the current known bug set. So trust it as much as you trust anything else created by humans to be perfect. :) ftp://ftp.gwdg.de:0/pub/linux/suse/ftp.suse.com/suse/i386/update/7.2/sec1/ ---- wrw-r--r-- 1 emoenke ftp 1729599 Aug 13 04:12 openssh-2.9.9p2-126.i386.rpm -rw-r--r-- 1 emoenke ftp 965831 Aug 13 03:59 openssl-0.9.6a-69.i386.rpm ---- If your associate isn't UNIX/LINUX savvy then I would suggest restricting his access until he learns more if this is a production machine that houses important data. If you can't do that. Then I'm not sure what to say. But as long as he keeps the current patches installed at least by date then you should be better off then not. I would suggest having him subscribe to the security list and if he is even the slightest bit worried that he doesn't know what he's doing. He should post. They are really good people on that list and as long as the question is security related. They'll help him. As far as information on YaST2..on that version of SuSE I never went near it. It was to new for my tastes and often didn't work as well as I would have liked. I stuck with yast1 in this case. You should have information on that version in the system. YaST2 will effect you more if you go to SLES 8.0 which is a huge improvement over 7.0 :) Cheers! -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.