Upgrade to OpenSSL 0.9.8i sooner than later

CiscoMike

CiscoMike

Verified User
Joined
Dec 2, 2005
Messages
66
Location
Denver, CO
For those who missed it, a fairly good sized hole was found in SSL where someone could easily inject themselves into the session. It's not leaking data as there's no evidence of any crypto cracking/breaking going on however the ability to inject data into the stream and/or off-load the data for later (possible) decryption is possible.

There are tools in the wild to exploit this. It's not something DA handles so if you aren't up-to-snuff on how to rebuild OpenSSL, you might want to get a sysadmin to take a crack at it. I know that Wael's update.script can do it but not sure if he's updated it for OpenSSL 0.9.8i.
 
Should those of us running a nightly yum cronjob be protected?

Jeff
 
Assuming the upstream providers have backported the fixes, yes, you should be ok. However for those folks concerned with PCI compliance (if applicable), you'll have to upgrade to the 0.9.8L libraries since not all auditors will recognize backporting or patch levels.
 
Please let me know who doesn't; I can put them in touch with the people at Red Hat, who I'm sure want their solutions to be compliant.

Jeff
 
You must log in or register to reply here.
Back
Top