RPMS from differing releases
![](https://seccdn.libravatar.org/avatar/07e594a050af805152b550eeb6b8f844.jpg?s=120&d=mm&r=g)
Hi folks, I am relatively new to SuSE (but not to Linux and UNIX-like OSen), and have come across a problem. I want to upgrade the default OpenSSL RPM installed when the box was built (it is 8.0). I am unable to find a SuSE RPM for OpenSSL 0.9.6g/h or 0.9.7 anywhere out there (have tried rpmfind, the SuSE web sites, and mirrors, etc). Can I safely use the RPM from the 8.1 release CD's? I ask as I notice the packing lists (as grubbed out with rpm -qpl ./openssl...) are different between the two releases. If not, does anyone know of a suitable RPM that will simply apply using rpm -U? I don't want to just suck it and see, as I am upgrading a production box, and customers wouldn't be too pleased if I spammed it! Alterntively, I am not afraid to build from source, but cannot seem to work out what options to pass to the OpenSSL config script to get all the bits installed in the "right" places (from SuSE's point of view). Tips, pointers, links to sources of info very gratefully received! Thanks for your time, and many apologies if this is an FAQ - googling didn't bring me anything terribly useful, though, I'm afraid... Cheers, Dan
![](https://seccdn.libravatar.org/avatar/926aae47e9d1677af3799a66f39f330d.jpg?s=120&d=mm&r=g)
* Daniel Bye; <dan.bye@2xp.co.uk> on 16 Jan, 2003 wrote:
I am relatively new to SuSE (but not to Linux and UNIX-like OSen), and have come across a problem. I want to upgrade the default OpenSSL RPM installed when the box was built (it is 8.0). I am unable to find a SuSE RPM for OpenSSL 0.9.6g/h or 0.9.7 anywhere out there (have tried rpmfind, the SuSE web sites, and mirrors, etc). Can I safely use the RPM from the 8.1 release CD's? I ask as I notice the packing lists (as grubbed out
I'am afraid no as the gcc versions are different
Alterntively, I am not afraid to build from source, but cannot seem to work out what options to pass to the OpenSSL config script to get all the bits installed in the "right" places (from SuSE's point of view).
Then get the source RPM from the 8.1 and then rebuild the rpm in your 8.0 box this way you have the SuSE config options -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
![](https://seccdn.libravatar.org/avatar/07e594a050af805152b550eeb6b8f844.jpg?s=120&d=mm&r=g)
On Thu, Jan 16, 2003 at 02:29:19PM +0200, Togan Muftuoglu wrote:
* Daniel Bye; <dan.bye@2xp.co.uk> on 16 Jan, 2003 wrote:
I am relatively new to SuSE (but not to Linux and UNIX-like OSen), and have come across a problem. I want to upgrade the default OpenSSL RPM installed when the box was built (it is 8.0). I am unable to find a SuSE RPM for OpenSSL 0.9.6g/h or 0.9.7 anywhere out there (have tried rpmfind, the SuSE web sites, and mirrors, etc). Can I safely use the RPM from the 8.1 release CD's? I ask as I notice the packing lists (as grubbed out
I'am afraid no as the gcc versions are different
Ah! Of course. Must try to remember that for future reference!
Alterntively, I am not afraid to build from source, but cannot seem to work out what options to pass to the OpenSSL config script to get all the bits installed in the "right" places (from SuSE's point of view).
Then get the source RPM from the 8.1 and then rebuild the rpm in your 8.0 box this way you have the SuSE config options
Thanks, that worked a treat. Dan
![](https://seccdn.libravatar.org/avatar/d5b1c1352f415437950c9794023f09f2.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 16 January 2003 08:23 am, Daniel Bye wrote:
Hi folks,
I am relatively new to SuSE (but not to Linux and UNIX-like OSen), and have come across a problem. I want to upgrade the default OpenSSL RPM installed when the box was built (it is 8.0). I am unable to find a SuSE RPM for OpenSSL 0.9.6g/h or 0.9.7 anywhere out there (have tried rpmfind, ...snip...
Is this for security or is there some feature you absolutely need? I *highly* recommend using the latest SuSE-provided 8.0-specific OpenSSL. Remember that SuSE fixes the holes and keeps the version the same. This is to avoid integration issues such as new APIs, different file locations/names, etc. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Jrg0+FOexA3koIgRAo98AKCj/no0PcwHsyeeEht0/DIlPlBgowCfR1nh 7jnV7iEvzL1SYmn7Opobf50= =dNNe -----END PGP SIGNATURE-----
![](https://seccdn.libravatar.org/avatar/07e594a050af805152b550eeb6b8f844.jpg?s=120&d=mm&r=g)
On Thu, Jan 16, 2003 at 09:48:35AM -0400, James Oakley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thursday 16 January 2003 08:23 am, Daniel Bye wrote:
Hi folks,
I am relatively new to SuSE (but not to Linux and UNIX-like OSen), and have come across a problem. I want to upgrade the default OpenSSL RPM installed when the box was built (it is 8.0). I am unable to find a SuSE RPM for OpenSSL 0.9.6g/h or 0.9.7 anywhere out there (have tried rpmfind, ...snip...
Is this for security or is there some feature you absolutely need? I *highly* recommend using the latest SuSE-provided 8.0-specific OpenSSL.
I'm trying to build postfix/TLS, and want to upgrade to a more recent version of OpenSSL (I recall from a few weeks ago, a report from CERT, CA-2002-23, advising users of OpenSSL to upgrade to 0.9.6e or later).
Remember that SuSE fixes the holes and keeps the version the same. This is to avoid integration issues such as new APIs, different file locations/names, etc.
OK, I didn't know that. Do you know the rationale behind the policy? It must prove very confusing to those who don't know about it. So, effectively, the openssl RPM on the update site should install a version more recent than 0.9.6c, even though it still bears the release number 0.9.6c? Also, I am reasonably confident the OpenSSL project members take into account the need to support obsoleted API features from release to release, particulalry along the same development branch. Thanks, Dan
![](https://seccdn.libravatar.org/avatar/d5b1c1352f415437950c9794023f09f2.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 16 January 2003 10:17 am, Daniel Bye wrote:
I'm trying to build postfix/TLS, and want to upgrade to a more recent version of OpenSSL (I recall from a few weeks ago, a report from CERT, CA-2002-23, advising users of OpenSSL to upgrade to 0.9.6e or later).
The latest SuSE-provided RPM for 8.0 is not vulnerable.
Remember that SuSE fixes the holes and keeps the version the same. This is to avoid integration issues such as new APIs, different file locations/names, etc.
OK, I didn't know that. Do you know the rationale behind the policy? It must prove very confusing to those who don't know about it.
Blindly upgrading versions is not a good thing for production machines. Bugs are often introduced, APIs change, customer software breaks.
So, effectively, the openssl RPM on the update site should install a version more recent than 0.9.6c, even though it still bears the release number 0.9.6c?
No, it's 0.9.6c with the security bugs fixed.
Also, I am reasonably confident the OpenSSL project members take into account the need to support obsoleted API features from release to release, particulalry along the same development branch.
There are a couple of things changed between 0.9.6c and e that affected a number of people who were installing from source, particularly on Red Hat. I highly recommend subscribing to either suse-security or suse-security-announce. You'll get all of the informative security announcements. You'll see that SuSE's security team is the best of the major distros and your mind will be at peace. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Jsjn+FOexA3koIgRAvzZAKCofb+6azFcjgrn2K/D0Xe5nsDtmgCfUm4w /Hi9kQM4Lxi0gkl6IAeWu6w= =XGKG -----END PGP SIGNATURE-----
![](https://seccdn.libravatar.org/avatar/07e594a050af805152b550eeb6b8f844.jpg?s=120&d=mm&r=g)
On Thu, Jan 16, 2003 at 10:59:50AM -0400, James Oakley wrote:
So, effectively, the openssl RPM on the update site should install a version more recent than 0.9.6c, even though it still bears the release number 0.9.6c?
No, it's 0.9.6c with the security bugs fixed.
Understood.
Also, I am reasonably confident the OpenSSL project members take into account the need to support obsoleted API features from release to release, particulalry along the same development branch.
There are a couple of things changed between 0.9.6c and e that affected a number of people who were installing from source, particularly on Red Hat.
I highly recommend subscribing to either suse-security or suse-security-announce. You'll get all of the informative security announcements. You'll see that SuSE's security team is the best of the major distros and your mind will be at peace.
Already done. And thanks for your reassurances! Now I know about the way it works, I do feel somewhat happier about it all. Thanks to all who have replied. Dan
participants (3)
-
Daniel Bye
-
James Oakley
-
Togan Muftuoglu