> Here is alternative. If you aren't using OpenSSL why don't you just > uninstall it? In fact, should it be installed in the first place if it's > not being used?
Might not be using OpenSSL directly, but i'm pretty sure OpenSSH depends on the SSL libraries being there, and i bet (hope) you're using SSH! Redhat backported the fixes in 0.9.6g to 0.9.6b and other SSL versions included with supported Redhat releases back in July. They occasionally do this. The Apache security fixes in 1.3.26 were backported to 1.3.23, for example. These are not new vulnerabilities (announced almost 2 months ago!). Unfortunately no one really notices or bothers to upgrade until someone writes a high profile virus/worm/exploit. It happens all too often in the Microsoft world! See these urls about the SSL worm: http://rhn.redhat.com/errata/RHSA-2002-160.html http://www.redhat.com/support/alerts/linux_slapper_worm.html On RH 7.2/7.3, you should be running openssl-0.9.6b release 24 (openssl-0.9.5b-24) or higher. It looks like 28 is out there now. Do rpm -qa | grep ssl to see. rpm -Fvh to upgrade your packages. Might as well do all the openssl packages while you're at it. There's no rpm --incantation option, but --nodeps and --replacefiles sometimes work wonders with goofy dependencies. -Ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems Engineer Southeastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
