rpm is your friend... it's a great tool! So do a "rpm -qi --changelog openssl" and find out for yourself if it patched or not. You should see a few asn patches applied as well as the ASN.1 vulerability patch.
Here is what my output looks like (RH7-modified version) ---- * Thu Aug 01 2002 Nalin Dahyabhai <[EMAIL PROTECTED]> 0.9.5a-29 - update asn patch to fix accidental reversal of a logic check * Wed Jul 31 2002 Nalin Dahyabhai <[EMAIL PROTECTED]> 0.9.5a-28 - update asn patch to reduce chance that compiler optimization will remove one of the added tests * Mon Jul 29 2002 Nalin Dahyabhai <[EMAIL PROTECTED]> 0.9.5a-27 - add patch to fix ASN.1 vulnerabilities ---- Trevor www.gnuguy.com gnuguy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bret Hughes Sent: Tuesday, October 01, 2002 8:23 AM To: [EMAIL PROTECTED] Subject: Re: Regarding slapper On Tue, 2002-10-01 at 08:10, Mike Burger wrote: > > Now...openssl-0.9.6b-8 has been available since at least that time, > because I up2dated it some time after my move, which occurred on July > 26th, 2002. > > Now...if 0.9.6b-28 was the only version currently available from RH that > was patched against Slapper, they'd have made it available, via up2date, > for all the currently supported versions (6.2, and all 7.x versions), > yes? > > Well, it ain't. That, and the above noted security note from Red Hat's > web site still tells me that 0.9.6b-8 is patched. I suppose I'll let > someone from the Red Hat team tell us, once again (as if they haven't > answered this question enough), whether it is or not. Mike, You got me wondering. I have the -28 rpm and the -8 so first I looked at timestamps of the files. [bhughes@zenon RPMS]$ ls -alrt openssl-0.9* -rw-r--r-- 2 root root 1350028 Sep 7 2001 openssl-0.9.6b-8.i386.rpm -r--r--r-- 1 bhughes bhughes 1410550 Aug 5 18:52 openssl-0.9.6b-28.i386.rpm then I looked at the build times: [bhughes@zenon RPMS]$ rpm -q --qf '%{buildtime:date}\n' -p openssl-0.9.6b-28.i386.rpm Thu 01 Aug 2002 01:28:22 PM EST [bhughes@zenon RPMS]$ rpm -q --qf '%{buildtime:date}\n' -p openssl-0.9.6b-8.i386.rpm Fri 07 Sep 2001 06:48:38 PM EST If the fix has been in the code since late July there is no way it would be in an rpm that was built on Sep 7 2001 Looks to me that you need the -28 version. At least that is what I currently hav in my installation tree here at the office. Bret -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
