On Mon, Dec 09, 2002 at 02:43:04AM +0100, Richard Levitte - VMS Whacker wrote:
| In message <[EMAIL PROTECTED]> on Mon, 9 Dec 2002 12:29:45 |+1100, [EMAIL PROTECTED] said: | | mlh> What's the story behind the openssl-0.9.6h.BOGUS* | mlh> files on the ftp site? | | They have an incorrect version number in crypto/opensslv.h. I | retained them for hysterical raisin... historical reason... | | I sent an correction announcement a few hours ago, which mentions the | patch file openssl-0.9.6h.BOGUS-0.9.6h.patch. That name should give | you a bit of a hint :-). It certain gave me a hint, but perhaps not exactly what you expected. I received the correction announcement, but no prior annoucement. And I misread the correction announcement and interpreted it to mean that 0.9.6h was correcting 0.9.6g for the version number alone. It was only after seeing the *BUGUS* files on the rsync site that I reread things and discovered my error. Apparently some announcements are not making it through. OTOH, email is an imperfect medium despite what some people say. My suggestion is to word announcements, even something like this, in a way that does not assume any previous message has been received. Technically everything was right in the announcement, and the error was my own. But better wording could have prevented it, I feel. I'm also wondering if this should not really have resulted in yet a new version, 0.9.6i, to be released in its place. The reason I say that is because there will probably be numerous cases of bogus 0.9.6h copies floating around for quite a while and getting mixed and confused with the correct 0.9.6h because of the lack of any external identification (if someone picked up the 6 Dec copy and didn't get the correction, it will have the same external identity as the correct 8 Dec copy). Given the propensity for things like OpenSSH to be very version sensitive (refuses to link at run time with a version of OpenSSL different than it was built with), this confused labeling of 0.9.6h could result in things like copies of OpenSSH that will run only with the bogus 0.9.6h. I won't feel comfortable about being sure people really are running the same version until 0.9.6i comes out. Surely this would not have been done if the reason for this was a security bug (even if it got detected within a few minutes of release). Now I wonder if the version mismatches could cause a less diligent system administrator to accidentally expose their systems. The fact that OpenSSL uses letter additions to versions which are NOT reflected in the actual .so file produced further complicates the issue. That's a practice I wish would stop (e.g. either stop using the letters, or include the letters in the .so files so I can still use programs that are sensitive to the exact version during a transition). To avoid those problems I have been building OpenSSH statically. So far, Apache/modssl, Curl, Lynx and Stunnel have not complained, so I continue to build those dynamically. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | [EMAIL PROTECTED] | Texas, USA | http://ka9wgn.ham.org/ | ----------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
