Red Hat DOES include the security fixes in their updates. It is just that they don't change the base version number in the rpm numbering scheme - or, at least for Red Hat version 9 and earlier, they didn't. The way they tracked changes in a given package was to change the number after the dash. For instance, using Apache as an example, they would name the package apache-1.3.24-3-1386.rpm. This would indicte that it was the third update to their packaging of apache 1.3.27. That might actually correspond to apache 1.3.27 in terms of security patches. In Fedora Core, the package naming does change to reflect the version of the source code. I have not kept up with how Red Hat handles package naming in the Enterprise line.
Despite the confusion in their naming scheme, you do not have to upgrade the entire OS and kernel to update OpenSSL. The main reason for you to upgrade your OS at this point is to get to a version that is being actively supported. Within the Red Hat world, that translates to using Fedora Core or Red Hat Enterprise Linux, version 3. To keep this more focused on OpenSSL, I have not yet completely checked out the dependencies on OpenSSL within Fedora Core. I just have a feeling that the packages stand alone a lot more than 7.3 did. Janet Shea -----Original Message----- From: J Harper [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 15:39 To: [EMAIL PROTECTED] Subject: Re: Problems installing OpenSSL on Linux This is an informative post, thank you. I'd like to add that this is one of the huge problems with RedHat's library and dependencies configuration. Manually weeding through the dependencies by hand to install a new version of OpenSSL from source is very difficult, and upgrading an entirely new kernel and OS seems completely ludicrous to have timely security updates. Production systems that are tested and have been running for months/years can't go through this process each time a critical security update for OpenSSL is released. The OpenSSL team does a fine job of acknowledging and fixing security issues, but if users of the most popular Linux distribution can't use them, it seems like a huge issue. Is there a workaround we don't know about? How well do other distributions handle this? Ideally you could just use apt-get, and have the latest version installed. J Harper PeerSec Networks http://www.peersec.com ----- Original Message ----- From: "Shea Janet B CRBE" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 12:09 PM Subject: RE: Problems installing OpenSSL on Linux > Red Hat is known for customizing its packages. OpenSSL is one of the ones that seems to be "central" to the rest of the system. It is better to use the OpenSSL packages as released by Red Hat. You can get the latest openssl rpm packages for 7.3 at this URL: https://rhn.redhat.com/errata/RHSA-2003-291.html. This includes the security fixes through September 2003 (and, I think, some the features in 0.9.7) despite the naming of the RPM. > > You will note that there are several packages there. Download all that pertain to your platform. (If you are running on a PC, that will be the i386 platform.) Include the one that starts openssl0.9.5. It is an integral part of this group of rpms. Once you have the rpms on your system, do rpm -Fvh ... and you should be good to go. > > To get later versions of openssl, and stay within Red Hat, you will need to upgrade to a currently supported version of Red Hat Linux. I switched to Red Hat's Fedora Core 1 for my home network and have been happy with it. > > Janet Shea > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 8:30 > To: [EMAIL PROTECTED] > Subject: Problems installing OpenSSL on Linux > > > I've inherited and system and an application that I can't quite get to work. I've got Redhat Linux 7.3 on Intel w/ OpenSSL 0.9.7 half-installed (so it seems). When I type "openssl", I get: > > openssl: error while loading shared libraries: libssl.so.0.9.7: cannot open shared object file: No such file or directory > > And, indeed, the so seems to be missing but I've looked for an RPM and can't find one that works. I found one on my system and one on the web but > > rpm -force -i therpm > > completes very quickly and appears to accomplish nothing. If I add --percent, get "100%" twice and still nothing seems to have happened. > > Is there an authoritative source for a Linux RPM for OpenSSL? A pointer would be appreciated. Thanks. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
