Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Linux/Slapper.worm
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Wed, 18 Sep 2002 17:41:18 +0200
  • Message-id: <3D889E9E.93587469@xxxxxxx>
Yup,

Peter Poeml wrote:

[...]

> > I can´t find any ssl version of 0.9.6.e or 0.9.6.g
> > this is recommended of securityfocus.com
>
> Yes, there is no reason and no nedd to do risky updates from an (up to)
> two year old openssl version to the newest one which could break half of
> your system. Times change, compilers and other tools as well as their
> usage changes... Look at the openssl changelog alone, and see how much
> has changed there since then! Really, all you want is a fix for that
> given security vulnerability, i.e. an appropriate source code patch.
> Guess what, we add such patches to our packages :) yes, and that's why
> we send out those fancy announcements...

[...]

For the record, I have manually updated about three dozen *nix boxes'
openssl/Apache now, and it's definitely no problem to switch from an
older openssl to 0.9.6e or g. The only cricital thing is to choose the
correct SSL patch ("FixPatch") for the corresponding Apache and openssl
versions.

Needless to say that I ran numerous tests to ensure that the new
versions work as expected.

Of course it's definitely more convenient/safe to do these updates via
RPM/You, I don't want to encourage anyone to wreck their systems.

> Peter

Boris
---

< Previous Next >
Follow Ups